Security Advisories · traefik/traefik · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
GHSA-3g6v-2r68-prfc published Jun 11, 2026 by emilevauge

Moderate
Traefik StripPrefix Route-Level Auth Bypass via Path Normalization
GHSA-xf64-8mw2-4gr2 published Jun 5, 2026 by nmengin

High
SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
GHSA-5r4w-85f3-pw66 published Jun 5, 2026 by nmengin

High
HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
GHSA-9cr8-q42q-g8m7 published Jun 5, 2026 by nmengin

High
Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
GHSA-96qj-4jj5-wcjc published May 11, 2026 by nmengin

Moderate
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
GHSA-xhjw-95fp-8vgq published Apr 24, 2026 by nmengin

Moderate
Errors middleware forwards Authorization and Cookie headers to separate error page service
GHSA-p6hg-qh38-555r published May 4, 2026 by nmengin

Moderate
BasicAuth middleware: timing side-channel vulnerability
GHSA-6x2q-h3cr-8j2h published Apr 24, 2026 by nmengin

Moderate
Forwarded alias spoofing top pre-auth decision bypass
GHSA-5m6w-wvh7-57vm published Apr 24, 2026 by nmengin

High
ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth
GHSA-6384-m2mw-rf54 published Apr 24, 2026 by nmengin

High