Security Advisories · traefik/traefik · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
GHSA-96qj-4jj5-wcjc published May 11, 2026 by nmengin

Moderate
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
GHSA-xhjw-95fp-8vgq published Apr 24, 2026 by nmengin

Moderate
Errors middleware forwards Authorization and Cookie headers to separate error page service
GHSA-p6hg-qh38-555r published May 4, 2026 by nmengin

Moderate
BasicAuth middleware: timing side-channel vulnerability
GHSA-6x2q-h3cr-8j2h published Apr 24, 2026 by nmengin

Moderate
Forwarded alias spoofing top pre-auth decision bypass
GHSA-5m6w-wvh7-57vm published Apr 24, 2026 by nmengin

High
ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth
GHSA-6384-m2mw-rf54 published Apr 24, 2026 by nmengin

High
StripPrefixRegex auth bypass via Path/RawPath desync
GHSA-6jwx-7vp4-9847 published Apr 24, 2026 by nmengin

High
Fix CVE-2026-33186
GHSA-46wh-3698-f2cx published Mar 27, 2026 by nmengin

High
BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
GHSA-qr99-7898-vr7c published Mar 27, 2026 by nmengin

Moderate
Ingress Rule Injection Allows Host Restriction Bypass in Traefik
GHSA-67jx-r9pv-98rj published Mar 27, 2026 by nmengin

Moderate