Traefik

CVE-2026-54762

A flaw in Traefik's Kubernetes Gateway provider allows unauthorized exposure of internal Traefik services by bypassing namespace validation for crossProviderNamespaces allowlists.

Traefik proxy has a vulnerability in path-based request routing. Attackers can use URLs containing '/../' to bypass security middleware and access unauthorized backend services.

A security vulnerability was discovered in the oauth2/jws library of Traefik version 2.11.22, presenting a high security risk.

A vulnerability in the Go programming language allows HTTP request smuggling through improper handling of chunked data, which attackers can exploit to manipulate requests and bypass security controls in Traefik proxies.

Traefik proxy has a vulnerability in path-based routing that allows attackers to access protected backend services and bypass security middleware through URL-encoded path traversal attacks.

A security flaw in Traefik's WASM plugin installation allows attackers to overwrite arbitrary system files through malicious ZIP archives, potentially enabling code execution.

Traefik, a web proxy, has a path processing vulnerability that allows attackers to bypass security middleware by using URL-encoded characters in request paths, potentially gaining access to protected areas.

Traefik's NGINX provider inverts the meaning of a security setting, disabling TLS certificate verification when administrators believe it's enabled, allowing man-in-the-middle attacks on HTTPS connections.

Traefik web server has a vulnerability in automatic TLS certificate generation where attackers can permanently block system resources through incomplete connections and cause a denial-of-service attack.

A vulnerability in Traefik software affects the management of HTTP/3 connections and is rated as high severity, with no workarounds available.

A vulnerability in Traefik allows attackers to send a specific Postgres request and then stall, keeping connections open indefinitely, which leads to a denial of service attack.

Traefik proxy has a vulnerability in HTTP header processing that allows attackers to remove important identity headers like X-Real-IP through case manipulation, potentially leading to authentication and authorization bypasses in downstream services.

A flaw in Traefik allows attackers to keep TCP connections open indefinitely by sending incomplete TLS data and then stopping, which can exhaust system resources and degrade availability of all services.

Traefik proxy reads authentication server responses into memory without size limits, allowing a malicious authentication server to cause memory exhaustion and crash the service through oversized responses.

A vulnerability in Traefik's Kubernetes Gateway Provider allows attackers with write access to HTTPRoute resources to inject malicious rules through unvalidated header or query parameter values, enabling them to redirect traffic from other hostnames to their own servers.

A security vulnerability in Traefik, a web proxy and load balancer, allows attackers to compromise the system or disrupt the service.

Traefik's BasicAuth middleware has a timing vulnerability that allows attackers to enumerate valid usernames because response times differ significantly between existing and non-existing users.

Traefik has a TLS processing vulnerability where fragmented ClientHello packets can bypass SNI detection, allowing attackers to skip mutual TLS authentication and access protected services that should require client certificates.

Traefik's Kubernetes providers have a vulnerability where attackers can manipulate routing rules through special characters in hostnames or headers, potentially gaining unauthorized access to other services in multi-tenant environments.

A flaw in Traefik's authentication middleware allows authenticated attackers to impersonate other users when header names are configured in non-canonical form. Backend systems receive both the manipulated and genuine headers, typically reading the forged value first.

Traefik proxy software has a security vulnerability through a flawed gRPC-Go library where attackers can bypass authorization rules by sending HTTP/2 requests with malformed paths missing the required leading slash.

A vulnerability in Traefik's StripPrefixRegex middleware allows attackers to bypass authentication by using URL-encoded dots in paths, making protected content accessible without credentials.

A vulnerability in Traefik's ForwardAuth middleware allows attackers to bypass authentication controls by manipulating the X-Forwarded-Prefix header when Traefik is deployed behind a trusted proxy.

Traefik's authentication middleware has a vulnerability where attackers can bypass authentication by using spoofed headers with underscores instead of dashes, as only standard header names are sanitized.

Traefik's BasicAuth middleware has a timing vulnerability that allows attackers to discover valid usernames by measuring response times, as faulty code causes authentication to fail much faster for non-existent users than for existing ones.

Traefik's error pages middleware inadvertently forwards sensitive authentication data like Authorization headers and cookies to separate error page services, even though these were only intended for the original backend service.

Traefik's Kubernetes provider incorrectly bypasses namespace isolation when using Chain middleware, allowing attackers with CRD permissions in one namespace to access middleware objects from other namespaces.

A vulnerability in Traefik's Kubernetes Gateway API provider allows users with HTTPRoute permissions to gain unauthorized access to the REST configuration interface and manipulate Traefik's configuration, bypassing intended security settings that should prevent such access.

A vulnerability in Traefik's HTTP/3 implementation allows attackers to bypass client certificate authentication when wildcard hostnames or different letter casing are used, enabling access to protected backends without required certificates.

A security vulnerability in Traefik allows attackers to bypass client certificate authentication when wildcard routers are configured with stricter TLS settings by exploiting another permissive SNI connection on the same endpoint.

A vulnerability in Traefik's StripPrefix middleware allows attackers to bypass authentication by using paths containing '..' that get normalized to protected backend paths after the prefix is stripped.

Release 2026-06-10

Release 2026-06-10

Release 2026-06-10

Bug fixes for HTTP3 library, web UI dependencies, and TLS SNI checking with keep-alive connections

Bug fixes for Redis timeout configuration, TLS SNI check with keepalive, Gateway API status updates, and updates to various dependencies

Bug fixes for Redis timeout configuration, TLS SNI check with keepalive, Gateway API status updates, and updates to various dependencies

Security update fixes CVE-2026-48020 and multiple bugs in TLS configuration, authentication, and middleware behavior

Security update fixes CVE-2026-48020 and multiple bugs in TLS configuration, access logs, Kubernetes Gateway API and middleware behavior

Security update fixes CVE-2026-44774 and corrects Kubernetes provider references along with cross-provider namespace options

Security update fixes CVE-2026-44774 and resolves Kubernetes provider issues with cross-provider references

Release candidate with security fix for CVE-2026-41181, ingress-nginx provider enhancements and various bug fixes

Current / stable

Bug fix for middleware compression and various documentation improvements

Release candidate with bug fixes for Kubernetes Ingress-Nginx, web UI improvements and enhanced Gateway API support

Security update fixes two CVEs and corrects bugs in gRPC library, authentication middleware and prefix processing

Security update fixing two CVEs along with bug fixes for Kubernetes Ingress, ACME, PostgreSQL STARTTLS and middleware components

Security update fixing two CVEs along with various bug fixes for Kubernetes integration, ACME, TLS termination, and middleware functionality

Security update fixes three CVE vulnerabilities and corrects various bugs in Kubernetes integration, TLS processing, and authentication

Traefik v3.7.0-ea.2 fixes three critical security vulnerabilities (CVEs) and enhances Kubernetes integration with Gateway API v1.5.1 and Knative v1.20.0 support

Traefik v3.7.0-ea.1 Early Access Release with extensive Nginx Ingress annotations, new middlewares and service failover features

Security update fixes CVE-2026-27141 and updates Docker, OpenTelemetry, and golang.org/x/net dependencies

Security update fixes two CVEs and various bugs in Gateway API, middleware, dashboard and dependencies

Security update fixes three CVE vulnerabilities and corrects multiple bugs in middleware components and TLS handling

Supported

EOL 2025-11-07

EOL 2025-07-23

EOL 2025-05-05

EOL 2025-01-06

EOL 2024-10-28

EOL 2024-07-15

EOL 2026-02-01

EOL 2024-02-12

EOL 2023-04-24

EOL 2022-10-03

EOL 2022-06-29

EOL 2022-05-24

EOL 2022-01-24

EOL 2021-08-17

EOL 2021-01-19

EOL 2020-09-23

EOL 2020-03-25

EOL 2019-12-11

EOL 2021-12-31