Github.Com Traefik Traefik V3 vulnerabilities
41 known vulnerabilities affecting github.com/traefik_traefik_v3.
Total CVEs
41
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH16MEDIUM20
Vulnerabilities
Page 1 of 3
CVE-2023-45288P2HIGHCVSS 7.5≥ 3.0.0-rc1, < 3.0.0-rc52024-04-15
CVE-2023-45288 [HIGH] Traefik affected by HTTP/2 CONTINUATION flood in net/http
Traefik affected by HTTP/2 CONTINUATION flood in net/http
There is a potential vulnerability in Traefik managing HTTP/2 connections.
More details in the [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.2
- https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
## Workarounds
No workaround
## For more information
If you ha
ghsaosv
CVE-2026-48020P2HIGH≥ 0, < 3.6.19≥ 3.7.0-ea.1, < 3.7.32026-06-11
CVE-2026-48020 [HIGH] CWE-288 Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
## Summary
There is a high severity vulnerability in Traefik's `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path containing `..` or its percen
ghsa
CVE-2026-39858P2HIGH≥ 3.7.0-ea.1, < 3.7.0-rc.2≥ 3.0.0-beta1, < 3.6.142026-04-24
CVE-2026-39858 [HIGH] CWE-290 Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `ForwardAuth` and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., `X-Forwarded-Proto`) and does not strip or normalize alias variants that use unders
ghsa
CVE-2026-33186P2CRITICALCVSS 9.1≥ 3.0.0-beta3, < 3.6.12≥ 3.7.0-ea.1, < 3.7.0-ea.32026-03-29
CVE-2026-33186 [CRITICAL] CWE-1395 Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
## Summary
There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).
A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting
ghsaosv
CVE-2026-35051P2HIGH≥ 3.7.0-ea.1, < 3.7.0-rc.2≥ 3.0.0-beta1, < 3.6.142026-04-24
CVE-2026-35051 [HIGH] CWE-345 Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
## Summary
There is a high-severity authentication bypass vulnerability in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy.
While `X-Forwarded-*` headers (such as `X-
ghsa
CVE-2026-44774P2MEDIUM≥ 3.7.0, < 3.7.1≥ 0, < 3.6.172026-05-13
CVE-2026-44774 [MEDIUM] CWE-284 Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
## Summary
There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissi
ghsa
CVE-2025-47952P3HIGHCVSS 8.8≥ 0, < 3.4.12025-05-28
CVE-2025-47952 [HIGH] CWE-22 Traefik allows path traversal using url encoding
Traefik allows path traversal using url encoding
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewa
ghsaosv
CVE-2025-68121P3CRITICALCVSS 10.0≥ 0, < 3.6.82026-02-20
CVE-2025-68121 [CRITICAL] CWE-1395 Traefik affected by TLS ClientAuth Bypass on HTTP/3
Traefik affected by TLS ClientAuth Bypass on HTTP/3
### Summary
There is a potential vulnerability in Traefik managing HTTP/3 connections.
More details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.37
- https://github.com/traefik/traefik/releases/tag/v3.6.8
## Workarounds
No workaround
## For more information
ghsaosv
CVE-2025-54386P2HIGH≥ 0, < 3.4.5≥ 3.5.0-rc1, < 3.5.02025-08-01
CVE-2025-54386 [HIGH] CWE-22 Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
### Summary
A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the s
ghsaosv
CVE-2026-33433P3MEDIUM≥ 3.0.0-beta1, < 3.6.12≥ 3.7.0-ea.1, < 3.7.0-ea.32026-03-27
CVE-2026-33433 [MEDIUM] CWE-290 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
## Summary
There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when `headerField` is configured with a non-canonical HTTP header name.
An authenticated attacker with valid credentials can inject the canonical version of the configured header t
ghsaosv
CVE-2025-32431P3HIGH≥ 0, < 3.3.6≥ 3.4.0-rc1, < 3.4.0-rc22025-04-21
CVE-2025-32431 [HIGH] CWE-22 Traefik has a possible vulnerability with its path matchers
Traefik has a possible vulnerability with its path matchers
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing th
ghsaosv
CVE-2026-40912P3HIGH≥ 3.7.0-ea.1, < 3.7.0-rc.2≥ 3.0.0-beta1, < 3.6.142026-04-24
CVE-2026-40912 [HIGH] CWE-706 Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`.
The middleware matches the regex against the decoded URL path but uses the resulting byte length to s
ghsa
CVE-2025-22871P3CRITICALCVSS 9.1≥ 0, < 3.3.6≥ 3.4.0-rc1, < 3.4.0-rc22025-04-18
CVE-2025-22871 [CRITICAL] CWE-1395 Traefik affected by Go HTTP Request Smuggling Vulnerability
Traefik affected by Go HTTP Request Smuggling Vulnerability
### Summary
net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could
ghsaosv
CVE-2026-54762P3MEDIUM≥ 3.7.0-ea.1, < 3.7.52026-06-19
CVE-2026-54762 [MEDIUM] CWE-636 Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
## Summary
There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported `nginx.ingress.kubernetes.io/auth-type` and `auth-secret` annotations,
ghsa
CVE-2024-24790P3CRITICALCVSS 9.8≥ 3.0.0-beta3, < 3.0.22024-06-11
CVE-2024-24790 [CRITICAL] CWE-180 Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
### Impact
There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ).
They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.
### Referen
ghsaosv
CVE-2026-29054P3HIGHCVSS 7.5≥ 3.1.3, < 3.6.92026-03-04
CVE-2026-29054 [HIGH] CWE-178 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
## Impact
There is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers.
When Traefik processes HTTP/1.1 requests, the protection p
ghsaosv
CVE-2024-45410P3CRITICALCVSS 9.8≥ 3.0.0-beta3, < 3.1.32024-09-19
CVE-2024-45410 [CRITICAL] CWE-345 HTTP client can manipulate custom HTTP headers that are added by Traefik
HTTP client can manipulate custom HTTP headers that are added by Traefik
### Impact
There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For).
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.9
- https://github.com/traefik/traefik/releases/tag/v3.1.3
### Workarounds
No workaround.
### For more i
ghsaosv
CVE-2026-32695P3MEDIUM≥ 0, < 3.6.11≥ 3.7.0-ea.1, < 3.7.0-ea.22026-03-27
CVE-2026-32695 [MEDIUM] CWE-74 Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
## Summary
There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection.
User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backti
ghsaosv
CVE-2026-27141P3HIGHCVSS 7.5≥ 0, < 3.6.102026-03-12
CVE-2026-27141 [HIGH] CWE-476 Traefik: HTTP/2 frames can cause a running server to panic
Traefik: HTTP/2 frames can cause a running server to panic
## Summary
More Details:
- https://nvd.nist.gov/vuln/detail/CVE-2026-27141
- https://pkg.go.dev/golang.org/x/net/http2?tab=versions
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.10
- https://github.com/traefik/traefik/releases/tag/v2.11.40
## For more information
If you have any questions or comments about this advisory, ple
ghsaosv
CVE-2026-25949P3HIGH≥ 0, < 3.6.82026-02-12
CVE-2026-25949 [HIGH] CWE-400 Traefik: TCP readTimeout bypass via STARTTLS on Postgres
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
## Impact
There is a potential vulnerability in Traefik managing STARTTLS requests.
An unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service.
## Patches
- http
ghsaosv
1 / 3Next →