Not Failing Securely ('Failing Open') in Traefik - CVE-2026-54762

 

Not Failing Securely ('Failing Open') in Traefik - CVE-2026-54762

Published: July 3, 2026


Vulnerability identifier: #VU136874
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-54762
CWE-ID: CWE-636
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Containous
Affected software:
Traefik

Detailed vulnerability description

The vulnerability allows a remote attacker to access backend services without authentication.

The vulnerability exists due to failing open in Kubernetes Ingress NGINX provider when resolving or parsing the referenced auth Secret for an Ingress that explicitly enables BasicAuth or DigestAuth. A remote attacker can send requests to an affected route to access backend services without authentication.

The issue occurs when the authentication middleware is skipped after an auth Secret is missing, malformed, unreadable, or denied by policy, while the router is still emitted to the backend service.


How to mitigate CVE-2026-54762

Install security update from vendor's website.

Sources