Github.Com Traefik Traefik V3 vulnerabilities

CVE-2026-33186 [CRITICAL] CWE-1395 Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) ## Summary There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186). A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting

CVE-2026-32695 [MEDIUM] CWE-74 Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass ## Summary There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection. User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backti

CVE-2026-33433 [MEDIUM] CWE-290 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField ## Summary There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when `headerField` is configured with a non-canonical HTTP header name. An authenticated attacker with valid credentials can inject the canonical version of the configured header t

CVE-2026-32305 [HIGH] CWE-287 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config ## Summary There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extr

CVE-2026-32595 [MEDIUM] CWE-208 Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration ## Summary There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediat

CVE-2026-27141 [HIGH] CWE-476 Traefik: HTTP/2 frames can cause a running server to panic Traefik: HTTP/2 frames can cause a running server to panic ## Summary More Details: - https://nvd.nist.gov/vuln/detail/CVE-2026-27141 - https://pkg.go.dev/golang.org/x/net/http2?tab=versions ## Patches - https://github.com/traefik/traefik/releases/tag/v3.6.10 - https://github.com/traefik/traefik/releases/tag/v2.11.40 ## For more information If you have any questions or comments about this advisory, ple

CVE-2026-29777 [MEDIUM] CWE-74 Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values ## Summary There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection. A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query para

CVE-2026-26999 [HIGH] CWE-400 Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) ## Impact There is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is complete

CVE-2026-29054 [HIGH] CWE-178 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) ## Impact There is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers. When Traefik processes HTTP/1.1 requests, the protection p

CVE-2026-26998 [MEDIUM] CWE-770 Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS ## Impact There is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no `maxResponseBodySize`

CVE-2025-68121 [CRITICAL] CWE-1395 Traefik affected by TLS ClientAuth Bypass on HTTP/3 Traefik affected by TLS ClientAuth Bypass on HTTP/3 ### Summary There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.37 - https://github.com/traefik/traefik/releases/tag/v3.6.8 ## Workarounds No workaround ## For more information

CVE-2026-25949 [HIGH] CWE-400 Traefik: TCP readTimeout bypass via STARTTLS on Postgres Traefik: TCP readTimeout bypass via STARTTLS on Postgres ## Impact There is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. ## Patches - http

CVE-2026-22045 [MEDIUM] CWE-770 Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall ## Impact There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send

CVE-2025-66491 [MEDIUM] CWE-295 Traefik Inverted TLS Verification Logic in ingress-nginx Provider Traefik Inverted TLS Verification Logic in ingress-nginx Provider ## Impact There is a potential vulnerability in Traefik NGINX provider managing the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. The provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `"on"` (intending to enable backend TLS certificate verificatio

CVE-2025-66490 [MEDIUM] CWE-436 Path Normalization Bypass in Traefik Router + Middleware Rules Path Normalization Bypass in Traefik Router + Middleware Rules ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set **('/', '\', 'Null', ';', '

CVE-2025-54386 [HIGH] CWE-22 Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution ### Summary A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the s

CVE-2025-47952 [HIGH] CWE-22 Traefik allows path traversal using url encoding Traefik allows path traversal using url encoding ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewa

CVE-2025-32431 [HIGH] CWE-22 Traefik has a possible vulnerability with its path matchers Traefik has a possible vulnerability with its path matchers ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing th

CVE-2025-22871 [CRITICAL] CWE-1395 Traefik affected by Go HTTP Request Smuggling Vulnerability Traefik affected by Go HTTP Request Smuggling Vulnerability ### Summary net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could

CVE-2024-53259 [MEDIUM] Traefik affected by CVE-2024-53259 Traefik affected by CVE-2024-53259 There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the [CVE-2024-53259](https://nvd.nist.gov/vuln/detail/CVE-2024-53259). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.15 - https://github.com/traefik/traefik/releases/tag/v3.2.2 ## Workarounds No workaround ## For more information If you have any questions or comments about this advisor