SB2026070352 - Multiple vulnerabilities in Traefik



SB2026070352 - Multiple vulnerabilities in Traefik

Published: July 3, 2026

Security Bulletin ID SB2026070352
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Incorrect authorization (CVE-ID: CVE-2026-54765)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to alter security-sensitive backend request context across routes and bypass authorization controls.

The vulnerability exists due to improper access control in pkg/provider/kubernetes/gateway/httproute.go when resolving accepted HTTPRoute backendRef filters for routes sharing the same backend Service:port. A remote user can create or modify an accepted HTTPRoute with different backendRef filters to alter security-sensitive backend request context across routes and bypass authorization controls.

Cross-namespace impact is possible when a ReferenceGrant permits targeting the shared backend.


2) Insufficient verification of data authenticity (CVE-ID: CVE-2026-54764)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass port-based authorization checks.

The vulnerability exists due to insufficient verification of data authenticity in the ForwardAuth middleware when handling requests with a spoofed X-Forwarded-Proto header while trustForwardHeader is set to false. A remote attacker can send a specially crafted request to bypass port-based authorization checks.

Exploitation affects deployments where the downstream authentication service makes authorization decisions based on the X-Forwarded-Port header.


3) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-54763)

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote user to spoof identity or authorization context.

The vulnerability exists due to improper handling of case sensitivity in BasicAuth, DigestAuth, ForwardAuth, and ingress-nginx snippet authResponseHeaders handling when processing underscore-variant identity headers. A remote user can send a specially crafted request with underscore-variant headers to spoof identity or authorization context.

In the ForwardAuth authResponseHeaders path, exploitation does not require credentials.


Remediation

Install update from vendor's website.