SB2026070351 - Multiple vulnerabilities in Traefik



SB2026070351 - Multiple vulnerabilities in Traefik

Published: July 3, 2026

Security Bulletin ID SB2026070351
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-54761)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to expose internal Traefik services.

The vulnerability exists due to improper access control in the Kubernetes Gateway provider crossProviderNamespaces allowlist enforcement for HTTPRoute multiple backendRefs when processing mixed or weighted backendRef lists. A remote user can create a specially crafted HTTPRoute with multiple backendRefs and point backendRef.namespace to an allow-listed namespace to expose internal Traefik services.

Exploitation requires the ability to create or modify an accepted HTTPRoute and the presence of a matching ReferenceGrant from an allow-listed namespace.


2) Not Failing Securely ('Failing Open') (CVE-ID: CVE-2026-54762)

CWE-ID: CWE-636 - Not Failing Securely (\'Failing Open\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to access backend services without authentication.

The vulnerability exists due to failing open in Kubernetes Ingress NGINX provider when resolving or parsing the referenced auth Secret for an Ingress that explicitly enables BasicAuth or DigestAuth. A remote attacker can send requests to an affected route to access backend services without authentication.

The issue occurs when the authentication middleware is skipped after an auth Secret is missing, malformed, unreadable, or denied by policy, while the router is still emitted to the backend service.


Remediation

Install update from vendor's website.