SB2026070350 - Multiple vulnerabilities in Traefik
Published: July 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-48020)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass route-level authentication and authorization and access protected backend paths.
The vulnerability exists due to incorrect authorization in the StripPrefix middleware when processing request paths containing .. or percent-encoded %2e%2e with PathPrefix-based public routes. A remote attacker can send a specially crafted request to bypass route-level authentication and authorization and access protected backend paths.
Exploitation requires a configuration where a public router uses PathPrefix together with StripPrefix and a separate router protects backend paths such as admin or internal endpoints.
2) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2026-48491)
CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass mutual TLS authentication and access protected backends.
The vulnerability exists due to improper authentication in SNICheck when resolving TLSOptions for wildcard host rules during domain-fronted HTTPS or HTTP/2 requests. A remote attacker can complete a TLS handshake using a permissive SNI and then send a crafted Host header targeting a wildcard-protected backend to bypass mutual TLS authentication and access protected backends.
Exploitation requires a wildcard-protected router with stricter TLS options and another permissive SNI served on the same entrypoint.
3) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2026-53622)
CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass client certificate authentication and access protected backends.
The vulnerability exists due to authentication bypass using an alternate path or channel in the HTTP/3 TLS configuration selection logic when handling QUIC handshakes for wildcard or mixed-case hostnames. A remote attacker can send a crafted HTTP/3 request with an SNI value that causes fallback to the default TLS configuration to bypass client certificate authentication and access protected backends.
Exploitation requires HTTP/3 to be enabled on the affected entrypoint, router-specific TLSOptions to enforce client certificate authentication, a weaker default TLS configuration, and attacker reachability to the UDP entrypoint.
Remediation
Install update from vendor's website.