SB2026070352 - Multiple vulnerabilities in Traefik
Published: July 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-54765)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to alter security-sensitive backend request context across routes and bypass authorization controls.
The vulnerability exists due to improper access control in pkg/provider/kubernetes/gateway/httproute.go when resolving accepted HTTPRoute backendRef filters for routes sharing the same backend Service:port. A remote user can create or modify an accepted HTTPRoute with different backendRef filters to alter security-sensitive backend request context across routes and bypass authorization controls.
Cross-namespace impact is possible when a ReferenceGrant permits targeting the shared backend.
2) Insufficient verification of data authenticity (CVE-ID: CVE-2026-54764)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass port-based authorization checks.
The vulnerability exists due to insufficient verification of data authenticity in the ForwardAuth middleware when handling requests with a spoofed X-Forwarded-Proto header while trustForwardHeader is set to false. A remote attacker can send a specially crafted request to bypass port-based authorization checks.
Exploitation affects deployments where the downstream authentication service makes authorization decisions based on the X-Forwarded-Port header.
3) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-54763)
CWE-ID: CWE-178 - Improper Handling of Case Sensitivity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to spoof identity or authorization context.
The vulnerability exists due to improper handling of case sensitivity in BasicAuth, DigestAuth, ForwardAuth, and ingress-nginx snippet authResponseHeaders handling when processing underscore-variant identity headers. A remote user can send a specially crafted request with underscore-variant headers to spoof identity or authorization context.
In the ForwardAuth authResponseHeaders path, exploitation does not require credentials.
Remediation
Install update from vendor's website.
References
- https://github.com/traefik/traefik/security/advisories/GHSA-6p8f-p8j2-rqmv
- https://github.com/traefik/traefik/releases/tag/v3.7.6
- https://github.com/traefik/traefik/security/advisories/GHSA-3q9r-p662-5j8m
- https://github.com/traefik/traefik/issues
- https://github.com/traefik/traefik/security/advisories/GHSA-x677-9fxg-v5c5
- https://github.com/traefik/traefik