Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Traefik — Vulnerabilities & Security Advisories 44

Browse all 44 CVE security advisories affecting Traefik. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Traefik functions as an open-source edge router and reverse proxy, primarily designed to simplify the deployment of microservices by automatically discovering and configuring backend services. Its architecture focuses on dynamic configuration, allowing it to integrate seamlessly with container orchestration platforms like Docker and Kubernetes. Historically, the software has been susceptible to several critical vulnerability classes, including remote code execution, path traversal, and privilege escalation flaws. These issues often stem from improper input validation or insufficient access controls within its HTTP middleware and entry point configurations. With thirty-three recorded CVEs, recent incidents have highlighted risks related to unauthorized access to the dashboard and potential denial-of-service conditions. While the project maintains an active security response process, the high volume of disclosed flaws underscores the complexity of managing dynamic routing logic in distributed environments, requiring diligent patching and strict configuration hygiene to mitigate exposure.

Top products by Traefik: traefik
CVE IDTitleCVSSSeverityPublished
CVE-2026-54763 Traefik: headerField underscore-variant identity spoofing in BasicAuth / DigestAuth / ForwardAuth — traefikCWE-178--2026-07-06
CVE-2026-54765 Traefik: Gateway HTTPRoute backendRef filters can leak backend context across routes sharing a Service:port — traefikCWE-284--2026-07-06
CVE-2026-54764 ForwardAuth middleware leaks X-Forwarded-Port spoofing via untrusted X-Forwarded-Proto when trustForwardHeader=false — traefikCWE-345--2026-07-06
CVE-2026-54762 Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails — traefikCWE-636--2026-06-23
CVE-2026-54761 Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services — traefikCWE-284--2026-06-23
CVE-2026-53622 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts — traefikCWE-288--2026-06-23
CVE-2026-48491 Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass — traefikCWE-288--2026-06-23
CVE-2026-48020 Traefik StripPrefix Route-Level Auth Bypass via Path Normalization — traefikCWE-288--2026-06-23
CVE-2023-54365 Traefik - Denial of Service via HTTP/2 Request Handling — TraefikCWE-400 7.5 High2026-06-23
CVE-2026-44774 Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false — traefikCWE-284--2026-05-15
CVE-2026-41181 Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service — traefikCWE-201--2026-05-15
CVE-2026-41263 Traefik: BasicAuth middleware: timing side-channel vulnerability — traefikCWE-208 3.7 -2026-04-30
CVE-2026-40912 Traefik: StripPrefixRegex auth bypass via Path/RawPath desync — traefikCWE-706 8.2 -2026-04-30
CVE-2026-39858 Traefik: Forwarded alias spoofing top pre-auth decision bypass — traefikCWE-290 9.8 -2026-04-30
CVE-2026-35051 Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth — traefikCWE-345 9.1 -2026-04-30
CVE-2026-41174 Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding — traefikCWE-863 9.3 -2026-04-30
CVE-2026-33433 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField — traefikCWE-290 8.1 -2026-03-27
CVE-2026-32695 Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass — traefikCWE-74 10.0 -2026-03-27
CVE-2026-32595 Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration — traefikCWE-208 3.7 -2026-03-20
CVE-2026-32305 Traefik mTLS bypass via fragmented ClientHello SNI extraction failure — traefikCWE-287 7.5 -2026-03-20
CVE-2026-29777 Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values — traefikCWE-74 5.4AIMediumAI2026-03-11
CVE-2026-29054 Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) — traefikCWE-178 7.5 High2026-03-05
CVE-2026-26999 Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS) — traefikCWE-400 7.5 High2026-03-05
CVE-2026-26998 Traefik: unbounded io.ReadAll on auth server response body causes OOM denial of service(DOS) — traefikCWE-770 4.4 Medium2026-03-05
CVE-2026-25949 Traefik: TCP readTimeout bypass via STARTTLS on Postgres — traefikCWE-400 7.5 High2026-02-12
CVE-2026-22045 Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall — traefikCWE-770 5.9 Medium2026-01-15
CVE-2025-66491 Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider — traefikCWE-295 5.9 Medium2025-12-09
CVE-2025-66490 Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules — traefikCWE-436 9.8AICriticalAI2025-12-09
CVE-2025-54386 Traefik's Client Plugin is Vulnerable to Path Traversal, Arbitrary File Overwrites and Remote Code Execution — traefikCWE-22 9.8 -2025-08-01
CVE-2025-47952 Traefik allows path traversal using url encoding — traefikCWE-22 9.1AICriticalAI2025-05-30

This page lists every published CVE security advisory associated with Traefik. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.