Not Failing Securely ('Failing Open') in Traefik - CVE-2026-54762
Published: July 3, 2026
Traefik
Detailed vulnerability description
The vulnerability allows a remote attacker to access backend services without authentication.
The vulnerability exists due to failing open in Kubernetes Ingress NGINX provider when resolving or parsing the referenced auth Secret for an Ingress that explicitly enables BasicAuth or DigestAuth. A remote attacker can send requests to an affected route to access backend services without authentication.
The issue occurs when the authentication middleware is skipped after an auth Secret is missing, malformed, unreadable, or denied by policy, while the router is still emitted to the backend service.