SB2026050535 - Multiple vulnerabilities in Traefik

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-41174)

The vulnerability allows a local user to bypass namespace isolation and apply middleware from another namespace.

The vulnerability exists due to improper access control in the Kubernetes CRD provider Chain middleware resolution path when processing nested middleware references in Middleware.spec.chain.middlewares[] with cross-namespace references disabled. A local user can create or update a local Chain middleware that references middleware objects in another namespace to bypass namespace isolation and apply middleware from another namespace.

Only deployments with providers.kubernetesCRD.allowCrossNamespace=false are affected.

2) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-41263)

The vulnerability allows a remote attacker to enumerate valid usernames.

The vulnerability exists due to observable timing discrepancy in BasicAuth middleware when handling authentication requests. A remote attacker can send authentication attempts and measure response-time differences to enumerate valid usernames.

The issue occurs because the constant-time fallback secret resolves to an empty string, causing the comparison to short-circuit instead of performing a full bcrypt evaluation.

3) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-39858)

The vulnerability allows a remote attacker to bypass authentication and access protected endpoints.

The vulnerability exists due to authentication bypass by spoofing in ForwardAuth and snippet-based authentication middleware when forwarding client-supplied alias forwarded headers to the authentication backend. A remote attacker can send a specially crafted request with spoofed forwarded-header aliases to bypass authentication and access protected endpoints.

Exploitation requires an authentication backend that normalizes underscore and dash header forms equivalently.

4) Insufficient verification of data authenticity (CVE-ID: CVE-2026-35051)

The vulnerability allows a remote attacker to bypass authentication and gain unauthorized access to protected backend routes.

The vulnerability exists due to insufficient verification of data authenticity in the ForwardAuth middleware when processing authentication subrequests behind a trusted upstream proxy with trustForwardHeader=false. A remote attacker can supply a spoofed X-Forwarded-Prefix header to bypass authentication and gain unauthorized access to protected backend routes.

Exploitation is security-relevant when the authentication service relies on X-Forwarded-Prefix for authorization or routing decisions, especially when StripPrefix runs before ForwardAuth.

5) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2026-40912)

The vulnerability allows a remote attacker to bypass authentication and access protected content.

The vulnerability exists due to use of incorrectly resolved path references in StripPrefixRegex middleware when processing percent-encoded URL paths together with ForwardAuth, BasicAuth, or DigestAuth. A remote attacker can send a specially crafted request with a percent-encoded dot in the prefix portion of the URL to bypass authentication and access protected content.

Exploitation requires a backend that performs dot-segment normalization.

Remediation

Install update from vendor's website.

References

• https://github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq
• https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h
• https://github.com/traefik/traefik/advisories/GHSA-6x2q-h3cr-8j2h
• https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm
• https://github.com/traefik/traefik/blob/174e5d81111d8e9fb3d3c81cf6d22f3e33eb4f78/pkg/middlewares/auth/forward.go#L401-L408
• https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54
• https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847