Github.Com Traefik Traefik V2 vulnerabilities
47 known vulnerabilities affecting github.com/traefik_traefik_v2.
Total CVEs
47
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH20MEDIUM21LOW1
Vulnerabilities
Page 1 of 3
CVE-2023-45288P2HIGHCVSS 7.5≥ 0, < 2.11.22024-04-15
CVE-2023-45288 [HIGH] Traefik affected by HTTP/2 CONTINUATION flood in net/http
Traefik affected by HTTP/2 CONTINUATION flood in net/http
There is a potential vulnerability in Traefik managing HTTP/2 connections.
More details in the [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.2
- https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
## Workarounds
No workaround
## For more information
If you ha
ghsaosv
CVE-2026-48020P2HIGH≥ 0, < 2.11.482026-06-11
CVE-2026-48020 [HIGH] CWE-288 Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
## Summary
There is a high severity vulnerability in Traefik's `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path containing `..` or its percen
ghsa
CVE-2026-39858P2HIGH≥ 0, < 2.11.432026-04-24
CVE-2026-39858 [HIGH] CWE-290 Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `ForwardAuth` and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., `X-Forwarded-Proto`) and does not strip or normalize alias variants that use unders
ghsa
CVE-2026-53622P2HIGH≥ 0, ≤ 2.11.502026-06-16
CVE-2026-53622 [HIGH] CWE-288 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
## Summary
There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration
ghsa
CVE-2026-33186P2CRITICALCVSS 9.1≥ 0, < 2.11.422026-03-29
CVE-2026-33186 [CRITICAL] CWE-1395 Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
## Summary
There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).
A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting
ghsaosv
CVE-2026-35051P2HIGH≥ 0, < 2.11.432026-04-24
CVE-2026-35051 [HIGH] CWE-345 Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
## Summary
There is a high-severity authentication bypass vulnerability in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy.
While `X-Forwarded-*` headers (such as `X-
ghsa
CVE-2026-44774P2MEDIUM≥ 0, < 2.11.462026-05-13
CVE-2026-44774 [MEDIUM] CWE-284 Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
## Summary
There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissi
ghsa
CVE-2025-47952P3HIGHCVSS 8.8≥ 0, < 2.11.252025-05-28
CVE-2025-47952 [HIGH] CWE-22 Traefik allows path traversal using url encoding
Traefik allows path traversal using url encoding
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewa
ghsaosv
CVE-2025-68121P3CRITICALCVSS 10.0≥ 0, < 2.11.372026-02-20
CVE-2025-68121 [CRITICAL] CWE-1395 Traefik affected by TLS ClientAuth Bypass on HTTP/3
Traefik affected by TLS ClientAuth Bypass on HTTP/3
### Summary
There is a potential vulnerability in Traefik managing HTTP/3 connections.
More details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.37
- https://github.com/traefik/traefik/releases/tag/v3.6.8
## Workarounds
No workaround
## For more information
ghsaosv
CVE-2025-54386P2HIGH≥ 0, < 2.11.282025-08-01
CVE-2025-54386 [HIGH] CWE-22 Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
### Summary
A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the s
ghsaosv
CVE-2026-33433P3MEDIUM≥ 0, < 2.11.422026-03-27
CVE-2026-33433 [MEDIUM] CWE-290 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
## Summary
There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when `headerField` is configured with a non-canonical HTTP header name.
An authenticated attacker with valid credentials can inject the canonical version of the configured header t
ghsaosv
CVE-2025-32431P3HIGH≥ 0, < 2.11.232025-04-21
CVE-2025-32431 [HIGH] CWE-22 Traefik has a possible vulnerability with its path matchers
Traefik has a possible vulnerability with its path matchers
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing th
ghsaosv
CVE-2026-40912P3HIGH≥ 0, < 2.11.432026-04-24
CVE-2026-40912 [HIGH] CWE-706 Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`.
The middleware matches the regex against the decoded URL path but uses the resulting byte length to s
ghsa
CVE-2020-15129P3MEDIUMPoC≥ 0, < 2.3.0-rc6≥ 2.3.0-rc1, < 2.3.0-rc62022-02-11
CVE-2020-15129 [MEDIUM] CWE-601 Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header
Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header
## Summary
There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisonin
ghsaosv
CVE-2025-22871P3CRITICALCVSS 9.1≥ 0, < 2.11.242025-04-18
CVE-2025-22871 [CRITICAL] CWE-1395 Traefik affected by Go HTTP Request Smuggling Vulnerability
Traefik affected by Go HTTP Request Smuggling Vulnerability
### Summary
net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could
ghsaosv
CVE-2024-24790P3CRITICALCVSS 9.8≥ 0, < 2.11.42024-06-11
CVE-2024-24790 [CRITICAL] CWE-180 Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
### Impact
There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ).
They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.
### Referen
ghsaosv
CVE-2026-29054P3HIGHCVSS 7.5≥ 2.11.9, < 2.11.382026-03-04
CVE-2026-29054 [HIGH] CWE-178 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
## Impact
There is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers.
When Traefik processes HTTP/1.1 requests, the protection p
ghsaosv
CVE-2024-45410P3CRITICALCVSS 9.8≥ 0, < 2.11.92024-09-19
CVE-2024-45410 [CRITICAL] CWE-345 HTTP client can manipulate custom HTTP headers that are added by Traefik
HTTP client can manipulate custom HTTP headers that are added by Traefik
### Impact
There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For).
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.9
- https://github.com/traefik/traefik/releases/tag/v3.1.3
### Workarounds
No workaround.
### For more i
ghsaosv
CVE-2026-32695P3MEDIUM≥ 0, ≤ 2.11.422026-03-27
CVE-2026-32695 [MEDIUM] CWE-74 Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
## Summary
There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection.
User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backti
ghsaosv
CVE-2026-27141P3HIGHCVSS 7.5≥ 0, < 2.11.402026-03-12
CVE-2026-27141 [HIGH] CWE-476 Traefik: HTTP/2 frames can cause a running server to panic
Traefik: HTTP/2 frames can cause a running server to panic
## Summary
More Details:
- https://nvd.nist.gov/vuln/detail/CVE-2026-27141
- https://pkg.go.dev/golang.org/x/net/http2?tab=versions
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.10
- https://github.com/traefik/traefik/releases/tag/v2.11.40
## For more information
If you have any questions or comments about this advisory, ple
ghsaosv
1 / 3Next →