Incorrect authorization in Traefik - CVE-2026-48020
Published: July 3, 2026
Traefik
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass route-level authentication and authorization and access protected backend paths.
The vulnerability exists due to incorrect authorization in the StripPrefix middleware when processing request paths containing .. or percent-encoded %2e%2e with PathPrefix-based public routes. A remote attacker can send a specially crafted request to bypass route-level authentication and authorization and access protected backend paths.
Exploitation requires a configuration where a public router uses PathPrefix together with StripPrefix and a separate router protects backend paths such as admin or internal endpoints.