traefik

Top products

The 15 most recently published vulnerabilities affecting traefik.

• CVE-2026-44774Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false9.9May 15, 2026
• CVE-2026-41181Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service5.8May 15, 2026
• CVE-2026-41263Traefik: BasicAuth middleware: timing side-channel vulnerability3.7Apr 30, 2026
• CVE-2026-40912Traefik: StripPrefixRegex auth bypass via Path/RawPath desync8.2Apr 30, 2026
• CVE-2026-39858Traefik: Forwarded alias spoofing top pre-auth decision bypass10.0Apr 30, 2026
• CVE-2026-35051Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth10.0Apr 30, 2026
• CVE-2026-41174Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding6.4Apr 30, 2026
• CVE-2026-33433Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField8.8Mar 27, 2026
• CVE-2026-32695Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass7.7Mar 27, 2026
• CVE-2026-32595Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration3.7Mar 20, 2026
• CVE-2026-32305Traefik mTLS bypass via fragmented ClientHello SNI extraction failure5.3Mar 20, 2026
• CVE-2026-29777Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values6.5Mar 11, 2026
• CVE-2026-29054Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)7.5Mar 5, 2026
• CVE-2026-26999Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS)7.5Mar 5, 2026
• CVE-2026-26998Traefik: unbounded io.ReadAll on auth server response body causes OOM denial of service(DOS)4.4Mar 5, 2026