SB2026050532 - Multiple vulnerabilities in Traefik

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2026-27141)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the HTTP/2 handling component when processing HTTP/2 frames. A remote attacker can send specially crafted HTTP/2 frames to cause a denial of service.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-29777)

The vulnerability allows a remote user to redirect traffic for victim hostnames to attacker-controlled backends.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the Kubernetes Gateway provider rule builder when processing tenant-controlled HTTPRoute header or query parameter match values. A remote privileged user can inject backtick-delimited rule tokens into generated router rules to redirect traffic for victim hostnames to attacker-controlled backends.

In shared gateway deployments, the issue can bypass listener hostname constraints and enable cross-tenant routing hijack.

Remediation

Install update from vendor's website.

References

• https://github.com/traefik/traefik/security/advisories/GHSA-4hjq-9h5c-252j
• https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj
• https://github.com/traefik/traefik/commit/a4a91344edcdd6276c1b766ca19ee3f0e346480f