SB2026070351 - Multiple vulnerabilities in Traefik
Published: July 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-54761)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to expose internal Traefik services.
The vulnerability exists due to improper access control in the Kubernetes Gateway provider crossProviderNamespaces allowlist enforcement for HTTPRoute multiple backendRefs when processing mixed or weighted backendRef lists. A remote user can create a specially crafted HTTPRoute with multiple backendRefs and point backendRef.namespace to an allow-listed namespace to expose internal Traefik services.
Exploitation requires the ability to create or modify an accepted HTTPRoute and the presence of a matching ReferenceGrant from an allow-listed namespace.
2) Not Failing Securely ('Failing Open') (CVE-ID: CVE-2026-54762)
CWE-ID: CWE-636 - Not Failing Securely (\'Failing Open\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to access backend services without authentication.
The vulnerability exists due to failing open in Kubernetes Ingress NGINX provider when resolving or parsing the referenced auth Secret for an Ingress that explicitly enables BasicAuth or DigestAuth. A remote attacker can send requests to an affected route to access backend services without authentication.
The issue occurs when the authentication middleware is skipped after an auth Secret is missing, malformed, unreadable, or denied by policy, while the router is still emitted to the backend service.
Remediation
Install update from vendor's website.