Github.Com Traefik Traefik V3 vulnerabilities
41 known vulnerabilities affecting github.com/traefik_traefik_v3.
Total CVEs
41
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH16MEDIUM20
Vulnerabilities
Page 2 of 3
CVE-2026-26999P3HIGH≥ 0, < 3.6.92026-03-04
CVE-2026-26999 [HIGH] CWE-400 Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)
## Impact
There is a potential vulnerability in Traefik managing TLS handshake on TCP routers.
When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is complete
ghsaosv
CVE-2024-39321P3HIGH≥ 3.0.0-beta3, < 3.0.4≥ 3.1.0-rc1, < 3.1.0-rc32024-07-05
CVE-2024-39321 [HIGH] CWE-639 Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes
Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes
### Impact
There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.6
- https://github.com/traefik/traefik/rel
ghsaosv
CVE-2024-28869P3HIGH≥ 3.0.0-beta3, < 3.0.0-rc52024-04-12
CVE-2024-28869 [HIGH] CWE-404 Traefik vulnerable to denial of service with Content-length header
Traefik vulnerable to denial of service with Content-length header
There is a potential vulnerability in Traefik managing requests with `Content-length` and no `body` .
Sending a `GET` request to any Traefik endpoint with the `Content-length` request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.
ghsaosv
CVE-2026-22045P3MEDIUM≥ 0, < 3.6.72026-01-15
CVE-2026-22045 [MEDIUM] CWE-770 Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
## Impact
There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.
A malicious client can open many connections, send
ghsaosv
CVE-2026-54761P3MEDIUM≥ 0, < 3.6.21≥ 3.7.0-ea.1, < 3.7.52026-06-17
CVE-2026-54761 [MEDIUM] CWE-284 Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
## Summary
There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the `crossProviderNamespaces` allowlist. For `HTTPRoute` rules that declare multiple (WRR) backen
ghsa
CVE-2025-66490P3MEDIUM≥ 0, < 3.6.32025-12-08
CVE-2025-66490 [MEDIUM] CWE-436 Path Normalization Bypass in Traefik Router + Middleware Rules
Path Normalization Bypass in Traefik Router + Middleware Rules
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set **('/', '\', 'Null', ';', '
ghsaosv
CVE-2023-47633P3HIGH≥ 0, < 3.0.0-beta52023-12-05
CVE-2023-47633 [HIGH] CWE-400 Traefik docker container using 100% CPU
Traefik docker container using 100% CPU
### Summary
The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration.
### Details
While attempting to set up Traefik to handle traffic for Docker containers, I observed in the webUI a rule with the following information:
`Host(traefik-service) | webwebsec
ghsaosv
CVE-2026-29777P3MEDIUM≥ 0, < 3.6.102026-03-11
CVE-2026-29777 [MEDIUM] CWE-74 Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
## Summary
There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection.
A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query para
ghsaosv
CVE-2023-47106P3MEDIUM≥ 0, < 3.0.0-beta52023-12-05
CVE-2023-47106 [MEDIUM] CWE-177 Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass
Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass
### Summary
When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.
When this is combined with another frontend
ghsaosv
CVE-2026-41174P3MEDIUM≥ 3.7.0-ea.1, < 3.7.0-rc.2≥ 3.0.0-beta1, < 3.6.142026-04-24
CVE-2026-41174 [MEDIUM] CWE-653 Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
## Summary
There is a vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement.
When `providers.kubernetesCRD.allowCrossNamespace=false`, Traefik correctly rejects direct cross-namespace middleware references from `IngressRoute` objects, but fails to apply the same restriction
ghsa
CVE-2026-32305P4HIGH≥ 3.7.0-ea.1, < 3.7.0-ea.2≥ 0, < 3.6.112026-03-20
CVE-2026-32305 [HIGH] CWE-287 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
## Summary
There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets.
When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extr
ghsaosv
CVE-2026-41181P4MEDIUM≥ 0, < 3.6.15≥ 3.7.0-rc.0, < 3.7.0-rc.32026-05-04
CVE-2026-41181 [MEDIUM] CWE-201 Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service
Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service
## Summary
There is a medium severity information disclosure vulnerability in Traefik's `errors` (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete head
ghsa
CVE-2024-53259P4MEDIUMCVSS 6.5≥ 0, < 3.2.22024-12-17
CVE-2024-53259 [MEDIUM] Traefik affected by CVE-2024-53259
Traefik affected by CVE-2024-53259
There is a potential vulnerability in Traefik managing HTTP/3 connections.
More details in the [CVE-2024-53259](https://nvd.nist.gov/vuln/detail/CVE-2024-53259).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.15
- https://github.com/traefik/traefik/releases/tag/v3.2.2
## Workarounds
No workaround
## For more information
If you have any questions or comments about this advisor
ghsaosv
CVE-2025-66491P4MEDIUM≥ 3.5.0, < 3.6.32025-12-08
CVE-2025-66491 [MEDIUM] CWE-295 Traefik Inverted TLS Verification Logic in ingress-nginx Provider
Traefik Inverted TLS Verification Logic in ingress-nginx Provider
## Impact
There is a potential vulnerability in Traefik NGINX provider managing the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation.
The provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `"on"` (intending to enable backend TLS certificate verificatio
ghsaosv
CVE-2023-47124P4MEDIUM≥ 0, < 3.0.0-beta52023-12-05
CVE-2023-47124 [MEDIUM] CWE-400 Traefik vulnerable to potential DDoS via ACME HTTPChallenge
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
## Impact
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the [HTTPChallenge](https://doc.traefik.io/traefik/https/acme/#httpchallenge) to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attacker
ghsaosv
CVE-2024-24788P4MEDIUMCVSS 5.9≥ 0, < 3.0.12024-05-23
CVE-2024-24788 [MEDIUM] CWE-1395 Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
### Impact
There is a vulnerability in [GO managing malformed DNS message](https://groups.google.com/g/golang-announce/c/wkkO4P9stm0), which impacts Traefik.
This vulnerability could be exploited to cause a denial of service.
### References
- [CVE-2024-24788](https://www.cve.org/CVERecord?id=
ghsaosv
CVE-2024-35255P4MEDIUMCVSS 5.5≥ 0, < 3.0.32024-06-20
CVE-2024-35255 [MEDIUM] CWE-362 ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
### Impact
There is a vulnerability in [Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-35255).
### References
- [CVE-2024-35255](https://nvd.nist.gov/vuln/detail/CVE-2024-35255)
### Patches
- https://github.com/traefik/trae
ghsaosv
CVE-2024-52003P4MEDIUM≥ 0, < 3.2.12024-12-02
CVE-2024-52003 [MEDIUM] CWE-601 Traefik's X-Forwarded-Prefix Header still allows for Open Redirect
Traefik's X-Forwarded-Prefix Header still allows for Open Redirect
### Impact
There is a vulnerability in Traefik that allows the client to provide the `X-Forwarded-Prefix` header from an untrusted source.
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.14
- https://github.com/traefik/traefik/releases/tag/v3.2.1
### Workarounds
No workaround.
### For more information
If
ghsaosv
CVE-2026-26998P4MEDIUM≥ 0, < 3.6.92026-03-04
CVE-2026-26998 [MEDIUM] CWE-770 Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS
## Impact
There is a potential vulnerability in Traefik managing the ForwardAuth middleware responses.
When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no `maxResponseBodySize`
ghsaosv
CVE-2026-41263P4MEDIUMCVSS 6.3≥ 3.7.0-ea.1, < 3.7.0-rc.2≥ 3.0.0-beta1, < 3.6.142026-04-24
CVE-2026-41263 [MEDIUM] CWE-208 Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
## Summary
There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences.
The variable intended to hold a constant-time fallback secret always re
ghsa