Package impact
GO / github.com/traefik/traefik/v3
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-39858 | critical | 10.0 | 10.0 | 28d ago | Traefik: Pre-authentication decision bypass due to forwarded alias spoofing | |
| CVE-2026-35051 | critical | 10.0 | 10.0 | 28d ago | Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication | |
| CVE-2026-44774 | critical | 9.9 | 9.9 | 13d ago | Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false | |
| CVE-2026-40912 | high | 8.2 | 8.2 | 28d ago | Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync |