Incorrect authorization in Traefik - #VU137267
Published: July 9, 2026
Traefik
Detailed vulnerability description
The vulnerability allows a remote user to inject attacker-selected authenticated identity headers into downstream applications.
The vulnerability exists due to incorrect authorization in HTTPRoute backendRef ExtensionRef resolution in Traefik's Kubernetes Gateway API provider when resolving HTTPRoute.spec.rules[].backendRefs[].filters[].extensionRef for a cross-namespace backend Service. A remote user can create a crafted HTTPRoute that binds a Middleware from the backend namespace without a separate grant to inject attacker-selected authenticated identity headers into downstream applications.
Exploitation requires HTTPRoute authoring capability and a ReferenceGrant that permits a cross-namespace Service reference.