Traefik vulnerabilities
47 known vulnerabilities affecting traefik/traefik.
Total CVEs
47
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL9HIGH23MEDIUM13LOW2
Vulnerabilities
Page 1 of 3
CVE-2023-44487P1HIGHCVSS 7.5KEVPoCfixed in 2.10.5v3.0.02023-10-10
CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
nvd
CVE-2026-48020P2CRITICALCVSS 10.0fixed in 2.11.48≥ 3.0.0, < 3.6.19+3 more2026-06-23
CVE-2026-48020 [CRITICAL] CWE-288 CVE-2026-48020: Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware,
nvd
CVE-2026-39858P2CRITICALCVSS 10.0fixed in 2.11.43≥ 3.0.0, < 3.6.14+6 more2026-04-30
CVE-2026-39858 [CRITICAL] CWE-290 CVE-2026-39858: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and doe
nvd
CVE-2026-53622P2CRITICALCVSS 10.0fixed in 3.7.32026-06-23
CVE-2026-53622 [CRITICAL] CWE-288 CVE-2026-53622: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerabilit
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an e
ghsanvd
CVE-2026-35051P2CRITICALCVSS 10.0fixed in 2.11.43≥ 3.0.0, < 3.6.14+6 more2026-04-30
CVE-2026-35051 [CRITICAL] CWE-345 CVE-2026-35051: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and
nvd
CVE-2026-44774P2CRITICALCVSS 9.9fixed in 2.11.46≥ 3.0.0, < 3.6.17+3 more2026-05-15
CVE-2026-44774 [CRITICAL] CWE-284 CVE-2026-44774: Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's K
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name
nvd
CVE-2026-48491P2CRITICALCVSS 10.0≥ 3.7.0, < 3.7.3v>= 3.7.0, < 3.7.32026-06-23
CVE-2026-48491 [CRITICAL] CWE-288 CVE-2026-48491: Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with strict
ghsanvd
CVE-2025-54386P2CRITICALCVSS 9.8fixed in 2.11.7≥ 3.0.0, < 3.4.4+3 more2025-08-02
CVE-2025-54386 [CRITICAL] CWE-22 CVE-2025-54386: Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the
nvd
CVE-2026-33433P3HIGHCVSS 8.8fixed in 2.11.42≥ 3.0.0, < 3.6.12+4 more2026-03-27
CVE-2026-33433 [HIGH] CWE-290 CVE-2026-33433: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The bac
nvd
CVE-2025-47952P3CRITICALCVSS 9.1fixed in 2.11.25≥ 3.0.0, < 3.4.1+1 more2025-05-30
CVE-2025-47952 [CRITICAL] CWE-22 CVE-2025-47952: Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 a
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL en
nvd
CVE-2025-32431P3CRITICALCVSS 9.1fixed in 2.11.24≥ 3.0.0, < 3.3.6+3 more2025-04-21
CVE-2025-32431 [CRITICAL] CWE-22 CVE-2025-32431: Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.2
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL co
nvd
CVE-2026-40912P3HIGHCVSS 8.2fixed in 2.11.43≥ 3.0.0, < 3.6.14+6 more2026-04-30
CVE-2026-40912 [HIGH] CWE-706 CVE-2026-40912: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resu
nvd
CVE-2020-15129P3MEDIUMCVSS 4.7PoCfixed in 1.7.26≥ 2.2.0, < 2.2.8+1 more2020-07-30
CVE-2020-15129 [MEDIUM] CWE-601 CVE-2020-15129: In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vuln
In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful
nvd
CVE-2026-54762P3HIGHCVSS 8.6≥ 3.7.0, < 3.7.5v>= 3.7.0-ea.1, < 3.7.52026-06-23
CVE-2026-54762 [HIGH] CWE-636 CVE-2026-54762: Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium s
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotat
nvd
CVE-2019-12452P3HIGHCVSS 7.5≥ 1.7.0, ≤ 1.7.112019-05-29
CVE-2019-12452 [HIGH] CWE-522 CVE-2019-12452: types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API i
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section
nvd
CVE-2026-32695P3HIGHCVSS 7.7fixed in 3.6.11v3.7.0-ea1+1 more2026-03-27
CVE-2026-32695 [HIGH] CWE-74 CVE-2026-32695: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `ten
nvd
CVE-2026-29054P3HIGHCVSS 7.5≥ 2.11.9, < 2.11.38≥ 3.1.3, < 3.6.9+2 more2026-03-05
CVE-2026-29054 [HIGH] CWE-178 CVE-2026-29054: Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (su
nvd
CVE-2018-15598P3HIGHCVSS 7.5≥ 1.6.0, < 1.6.62018-08-21
CVE-2018-15598 [HIGH] CWE-287 CVE-2018-15598: Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if a
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
nvd
CVE-2026-25949P3HIGHCVSS 7.5fixed in 3.6.82026-02-12
CVE-2026-25949 [HIGH] CWE-400 CVE-2026-25949: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerabili
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinit
nvd
CVE-2026-26999P3HIGHCVSS 7.5fixed in 2.11.38≥ 3.0.0, < 3.6.9+1 more2026-03-05
CVE-2026-26999 [HIGH] CWE-400 CVE-2026-26999: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake re
nvd
1 / 3Next →