| CVE-2026-39858 |
critical |
10.0 |
10.0 |
27d ago |
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing |
|
| CVE-2026-35051 |
critical |
10.0 |
10.0 |
27d ago |
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication |
|
| CVE-2026-44774 |
critical |
9.9 |
9.9 |
12d ago |
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false |
|
| CVE-2026-40912 |
high |
8.2 |
8.2 |
27d ago |
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync |
|
| CVE-2026-41174 |
medium |
6.4 |
6.4 |
27d ago |
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding |
|
| CVE-2026-41181 |
medium |
5.8 |
5.8 |
12d ago |
Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service |
|
| CVE-2026-41263 |
low |
3.7 |
3.7 |
27d ago |
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware |
|