Skip to main content

Traefik CVE-2026-54762

| EUVDEUVD-2026-38578 MEDIUM
Not Failing Securely ('Failing Open') (CWE-636)
2026-06-19 https://github.com/traefik/traefik GHSA-4mr2-fg2p-w63c
Medium
Disputed · 5.9 Vendor: https://github.com/traefik/traefik
Share

Severity by source

Sources disagree (Low–High)
Vendor (https://github.com/traefik/traefik) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network vector, no privileges required once fail-open state exists; C:H/I:H reflects full unauthenticated backend access; A:N as bypass causes no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
4.4 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: https://github.com/traefik/traefik

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 20:22 NVD
5.9 (MEDIUM)
Source Code Evidence Fetched
Jun 19, 2026 - 23:41 vuln.today
Analysis Generated
Jun 19, 2026 - 23:41 vuln.today

DescriptionCVE.org

Summary

There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency - a missing, malformed, unreadable, or policy-denied Secret - rather than an intentionally unprotected route.

Patches

  • https://github.com/traefik/traefik/releases/tag/v3.7.5

For more information

If you have any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

Summary

Traefik's Kubernetes Ingress NGINX provider can fail open for routes that explicitly configure BasicAuth or DigestAuth through supported ingress-nginx annotations.

When an Ingress contains nginx.ingress.kubernetes.io/auth-type: basic or digest, but the referenced nginx.ingress.kubernetes.io/auth-secret cannot be resolved or parsed, Traefik logs the auth resolution error, skips installing the BasicAuth/DigestAuth middleware, and still emits a router to the backend service.

This can expose a route that operators intended to protect. The issue is not that an invalid Secret exists; the issue is that an explicitly auth-protected Ingress location is translated into a live backend route where the authentication control is removed from the generated data-plane configuration, with only a controller log entry, instead of failing closed.

Tested affected versions:

  • Current master: 29406d42898547f1ffabd904f66af06c212740cf
  • Latest tag tested by me: v3.7.1 / fa49e2bcad7ffd8a80accdf1fae1ae480913d93d

The KubernetesIngressNGINX provider is documented as no longer experimental as of v3.6.2, and the auth-type, auth-secret, auth-secret-type, and auth-realm annotations are documented supported annotations.

Details

The root cause is in pkg/provider/kubernetes/ingress-nginx/build.go. During provider translation, auth is pre-resolved for each location:

go
if ing.config.AuthType != nil {
    basic, digest, err := p.resolveBasicAuth(ing.Namespace, ing.config)
    if err != nil {
        logger.Error().
            Err(err).
            Str("ingress", fmt.Sprintf("%s/%s rule-%d path-%d", ing.Namespace, ing.Name, ri, pi)).
            Msg("Cannot resolve auth secret, skipping auth middleware")
    } else {
        loc.BasicAuth = basic
        loc.DigestAuth = digest
    }
}

The error is logged, but loc.Error is not set. Later, pkg/provider/kubernetes/ingress-nginx/translator.go only routes to unavailable-service when loc.Error is true. Since this auth error leaves loc.Error false, the generated router continues to use the real backend service, and applyMiddlewares has no BasicAuth/DigestAuth middleware to attach.

This differs from nearby fail-closed behavior for comparable provider translation failures:

  • auth-tls-secret resolution failure skips the affected ingress.
  • custom-headers ConfigMap resolution failure sets loc.Error = true, causing the translator to avoid normal backend exposure.

Security invariant:

> If an Ingress location explicitly configures BasicAuth/DigestAuth, Traefik should not forward that location to the backend unless the corresponding auth middleware is installed.

Reasonable fail-closed behaviors would include omitting the router, routing it to unavailable-service, returning 503, or attaching a deny-all middleware until the auth dependency is valid.

Expected behavior

An Ingress location with explicit auth-type: basic or auth-type: digest must not forward requests to the backend unless the generated Traefik router has the corresponding BasicAuth/DigestAuth middleware attached.

If the referenced auth Secret is missing, malformed, unreadable, denied by namespace policy, or otherwise unusable, Traefik should fail closed for that location.

Actual behavior

When auth-secret resolution fails, Traefik still creates a router to the backend service and only omits the BasicAuth/DigestAuth middleware. The only indication is a controller log entry:

text
Cannot resolve auth secret, skipping auth middleware

PoC

I reproduced this with a clean fake Kubernetes provider state. The reproduction does not use Docker provider labels, dashboard/API routing, lab backends, or public network targets.

Minimal Kubernetes objects:

  • IngressClass named nginx with controller k8s.io/ingress-nginx
  • Service named whoami in namespace default
  • EndpointSlice for the whoami service
  • Ingress with ingressClassName: nginx, a backend pointing to whoami, and these annotations:
yaml
nginx.ingress.kubernetes.io/auth-type: "basic"
nginx.ingress.kubernetes.io/auth-secret-type: "auth-file"
nginx.ingress.kubernetes.io/auth-secret: "default/missing-basic-auth"

The referenced Secret intentionally does not exist. The expected secure behavior is fail-closed for this auth-configured route. The observed behavior is a normal router to the backend without BasicAuth/DigestAuth.

Key failing assertion from the regression harness:

text
router forwards to backend service without BasicAuth/DigestAuth when auth-secret is missing; middlewares=[default-auth-missing-secret-rule-0-path-0-retry] service="default-auth-missing-secret-whoami-80"

The same behavior reproduces on both current master and v3.7.1.

I also tested a matrix of auth-secret resolution failures. In each error case, Traefik still emitted the backend router without BasicAuth/DigestAuth:

  • missing auth-secret
  • omitted/empty auth-secret
  • invalid auth-secret-type
  • auth-file Secret missing the required auth key
  • empty auth-map Secret
  • missing DigestAuth Secret
  • cross-namespace auth-secret denied by default policy

The same matrix includes a positive control where a valid auth-file Secret correctly attaches BasicAuth, confirming that the harness is exercising the intended provider path.

I also performed a clean-room revalidation from fresh git archive source trees for both source/master and v3.7.1. Only the two minimal test harnesses were copied into each archived source tree. This avoided contamination from lab compose files, Docker provider state, dashboard/API routes, prior source-tree test files, or running lab backends.

Threat model

This does not require an attacker to modify Traefik static configuration or Traefik process state. The relevant security boundary is the Kubernetes-declared route policy: an Ingress explicitly declares BasicAuth/DigestAuth, but Traefik publishes the data-plane route without that control when the auth dependency is invalid.

In multi-tenant or GitOps-managed clusters, the actor or automation that can affect Secret existence, Secret contents, namespace policy, or deployment ordering is not necessarily the same actor that owns the protected backend or Traefik deployment. As a result, a mistake, rollback, pruning job, policy change, or compromise limited to Kubernetes application resources can remove the effective auth boundary while the Ingress continues to declare that auth is required.

Impact

This is a fail-open authentication control issue leading to unintended unauthenticated route exposure.

The trigger is an invalid or unresolved auth dependency, but the security consequence is a data-plane route that violates explicit auth intent. This is materially different from intentionally deploying an unprotected route: the Ingress declares auth-type: basic or digest, yet Traefik publishes the backend without the corresponding auth middleware.

Realistic scenarios include:

  • GitOps, Helm, or CI/CD deploys Ingress and Secret resources separately. Ordering issues, rollbacks, pruning, or typos can leave the Ingress active while the auth Secret is absent or unreadable.
  • Kubernetes RBAC commonly separates ownership of Ingress objects, Secrets, and namespace policies. A lower-privileged namespace actor or deployment automation may be able to affect the referenced Secret or cross-namespace reference outcome without having direct access to Traefik static configuration.
  • During ingress-nginx migration, operators reasonably expect supported nginx.ingress.kubernetes.io/auth-* annotations to preserve the authentication boundary. Publishing the backend without auth is a worse failure mode than rejecting the invalid location.
  • A transient Secret deletion, malformed Secret update, or policy change can turn an already protected route into an unprotected route without changing the Ingress rule itself.

Controller logs are not a sufficient mitigation. Logs do not prevent exposure, may not page the service owner, and the first externally visible symptom can be unauthenticated access to the protected backend.

Suggested remediation

Fail closed on any resolveBasicAuth error. A minimal tested change is to mark the location as errored:

diff
 if err != nil {
     logger.Error().
         Err(err).
         Str("ingress", fmt.Sprintf("%s/%s rule-%d path-%d", ing.Namespace, ing.Name, ri, pi)).
         Msg("Cannot resolve auth secret, skipping auth middleware")
+    loc.Error = true
 } else {

This reuses the existing loc.Error / unavailable-service path. In my local validation, this change made the no-backend-without-auth regression pass while preserving the valid-secret positive control.

</details>

---

AnalysisAI

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Traefik-managed Kubernetes route with auth annotations
Delivery
Confirm auth-secret is missing or malformed in cluster
Exploit
Traefik has already emitted backend router without BasicAuth/DigestAuth middleware
Execution
Send unauthenticated HTTP request to exposed route
Impact
Access protected backend resources without credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires three simultaneous conditions: (1) Traefik is running the KubernetesIngressNGINX provider at version >= 3.7.0-ea.1 and <= 3.7.4; (2) an Ingress object carries nginx.ingress.kubernetes.io/auth-type set to basic or digest with a corresponding auth-secret annotation; and (3) the referenced Kubernetes Secret is in a failed state - specifically one of: the Secret does not exist, the Secret exists but is missing the required auth key (for auth-file type), the Secret exists but the auth-map is empty, the auth-secret-type annotation is invalid, or the cross-namespace Secret reference is denied by RBAC or namespace policy. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is elevated by the operational scenarios that commonly trigger the fail-open state: GitOps or Helm deployments that apply Ingress objects before their dependent Secrets, rollback or pruning jobs that delete Secrets while Ingresses remain, transient RBAC policy changes, and ingress-nginx migration workflows where operators rely on annotation parity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Kubernetes cluster running Traefik v3.7.x discovers an Ingress route whose nginx.ingress.kubernetes.io/auth-secret references a Secret that was deleted during a Helm rollback earlier in the day. Because Traefik has already translated the Ingress into a live backend router without BasicAuth middleware, the attacker sends plain unauthenticated HTTP GET requests to the route and receives full backend responses - no credentials, no brute-force, no exploit payload required. …
Remediation Upgrade Traefik to v3.7.5, which is the vendor-released patched version confirmed to address CVE-2026-54762 via pull request #13323. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP5 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP6 Affected
openSUSE Leap 15.5 Affected
openSUSE Leap 15.6 Affected

Share

CVE-2026-54762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy