Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Summary
There is a vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement.
When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.43
- https://github.com/traefik/traefik/releases/tag/v3.6.14
- https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
For more information
If there are any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary>
Summary
When providers.kubernetesCRD.allowCrossNamespace=false, Traefik still allows a namespace-local Middleware of type Chain to reference middleware objects from another namespace via spec.chain.middlewares[].namespace.
This bypasses the documented cross-namespace restriction and allows an actor with permission to create or update Traefik CRDs in namespace A to bind middleware defined in namespace B to routes in namespace A.
Details
Traefik documents allowCrossNamespace as the control that governs whether IngressRoute objects may reference resources in other namespaces.
Direct middleware references from IngressRoute.routes[].middlewares[] are validated in pkg/provider/kubernetes/crd/kubernetes_http.go by makeMiddlewareKeys(...), which rejects cross-namespace references when allowCrossNamespace is disabled.
However, nested middleware references inside Middleware.spec.chain.middlewares[] follow a different code path. createChainMiddleware(...) in pkg/provider/kubernetes/crd/kubernetes.go does not receive or enforce allowCrossNamespace; it resolves mi.Namespace (or defaults to the current namespace) and appends makeID(ns, mi.Name) unconditionally.
At runtime, pkg/server/middleware/middlewares.go qualifies and builds config.Chain.Middlewares, so the cross-namespace middleware is actually loaded and used.
This was verified on the current master at commit 786f7192e11878dfaa634f8263bf79bb730a71cb.
This appears related to earlier cross-namespace hardening work, but the surviving issue is a distinct nested Chain middleware code path rather than the already-guarded direct reference path.
Expected behavior
When providers.kubernetesCRD.allowCrossNamespace=false, any middleware reference that resolves to an object in another namespace should be rejected, whether referenced directly from an IngressRoute or indirectly through a local Chain middleware.
Actual behavior
A namespace-local Chain middleware can reference spec.chain.middlewares[].namespace in another namespace, and Traefik resolves and applies that middleware even when cross-namespace references are disabled.
Attacker prerequisites
The attacker must have permission to create or update Traefik CRDs in a namespace they control, but does not need permission to modify resources in the target namespace.
PoC
- Run Traefik with the Kubernetes CRD provider and set
allowCrossNamespace: false. - Create two namespaces, for example
defaultandcross-ns. - Apply a middleware in
cross-ns:
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: victim-strip
namespace: cross-ns
spec:
stripPrefix:
prefixes:
- /secret- Apply a chain middleware in
defaultthat references the middleware above:
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: mychain
namespace: default
spec:
chain:
middlewares:
- name: victim-strip
namespace: cross-ns- Apply an
IngressRouteindefaultthat references only the localmychainmiddleware:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: demo
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.test`) && PathPrefix(`/demo`)
kind: Rule
middlewares:
- name: mychain
services:
- name: whoami
port: 80- Observe that Traefik accepts the configuration and resolves the resulting chain to the middleware from
cross-nseven thoughallowCrossNamespaceis disabled. - As a control, replace the local chain reference in the
IngressRoutewith a direct cross-namespace middleware reference. That direct reference is rejected whenallowCrossNamespace=false, which indicates the bypass is specific to nestedChainmiddleware resolution.
Impact
This is an authorization / trust-boundary bypass in Traefik's Kubernetes CRD provider.
Clusters that rely on providers.kubernetesCRD.allowCrossNamespace=false for namespace isolation are affected. An actor who is allowed to create or update Traefik CRDs in their own namespace can still cause Traefik to apply middleware from another namespace by referencing it indirectly through a local Chain middleware.
The practical impact depends on which middleware objects exist in the other namespace, but this can allow unauthorized reuse of security-sensitive or policy-bearing middleware across namespace boundaries. Examples include request modification, header manipulation, authentication or forward-auth related behavior, and other traffic-handling policies that were intended to remain namespace-scoped.
Testers have not verified unauthenticated remote compromise, code execution, or universal cross-tenant data exposure. The core issue is that a documented isolation control can be bypassed through the nested Chain middleware reference path.
</details>
AnalysisAI
Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2 fail to enforce cross-namespace isolation for middleware references nested inside Chain middlewares, allowing actors with permission to create CRDs in their own namespace to bypass the allowCrossNamespace=false restriction and apply middleware from arbitrary namespaces. This authorization bypass affects Kubernetes clusters relying on namespace isolation controls and can enable unauthorized reuse of security-sensitive middleware policies across namespace boundaries.
Technical ContextAI
Traefik's Kubernetes CRD provider implements namespace isolation via the allowCrossNamespace configuration flag, intended to prevent IngressRoute objects in one namespace from referencing resources in another. The vulnerability stems from a gap in validation logic: the makeMiddlewareKeys() function in pkg/provider/kubernetes/crd/kubernetes_http.go correctly validates direct middleware references from IngressRoute.routes[].middlewares[] and rejects cross-namespace entries when allowCrossNamespace is disabled. However, createChainMiddleware() in pkg/provider/kubernetes/crd/kubernetes.go lacks this validation and unconditionally resolves nested middleware references in Middleware.spec.chain.middlewares[].namespace, passing them to the runtime middleware builder without namespace enforcement. The root cause is CWE-653 (Improper Isolation or Compartmentalization), where validation logic is inconsistently applied across different code paths for the same security control. The issue affects Go packages github.com/traefik/traefik v2 and v3.
RemediationAI
Upgrade to patched versions immediately: Traefik v2.11.43 or later for v2.x branches, v3.6.14 or later for v3.6.x branches, or v3.7.0 or later for v3.7.x branches. The fix commit df00d82fc7f12e07199551832b54de6d0e55414d addresses the gap by enforcing allowCrossNamespace validation in createChainMiddleware(). Until patching is possible, administrators can implement network policy enforcement (restricting traffic between namespaces) or RBAC hardening (removing Middleware creation/update permissions from non-privileged namespaces), though these are indirect mitigations that do not address the core policy bypass. See https://github.com/traefik/traefik/releases/tag/v2.11.43, https://github.com/traefik/traefik/releases/tag/v3.6.14, and https://github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq for patch details.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-653 – Improper Isolation or Compartmentalization
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26432
GHSA-xhjw-95fp-8vgq