Skip to main content

Traefik

33 CVEs product

Monthly

CVE-2026-54763 HIGH PATCH This Week

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker reaching a protected route smuggle an underscore-variant HTTP header past the BasicAuth, DigestAuth, and ForwardAuth middlewares' sanitization. Traefik strips canonical dashed spoofed headers before setting its own trusted value but ignores underscore forms (e.g. X_Forwarded_User vs X-Forwarded-User) that many backends normalize identically, so the forged header reaches the backend alongside — or, on the ForwardAuth authResponseHeaders path, instead of — Traefik's intended value. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a vendor fix and upstream commit are published.

Code Injection Canonical Traefik
NVD GitHub
CVSS 4.0
7.8
EPSS
0.3%
CVE-2026-54765 MEDIUM PATCH This Month

Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.

Authentication Bypass Kubernetes Traefik
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-54764 MEDIUM PATCH This Month

Header injection in Traefik's ForwardAuth middleware allows unauthenticated remote attackers to manipulate the X-Forwarded-Port value sent to authentication backends, enabling bypass of port-based authorization checks. Affected are all Traefik v2.x prior to v2.11.51, v3.6.x from 3.0.0 prior to v3.6.22, and v3.7.x from 3.7.0 prior to v3.7.6. The flaw persists even when the trustForwardHeader: false safeguard is active, because the port derivation logic reads the original incoming request rather than the sanitized forwarded context. No public exploit code has been identified at time of analysis, and vendor-released patches are available.

Authentication Bypass Traefik
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2023-54365 Go HIGH PATCH This Week

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 /. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Traefik
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-33433 Go MEDIUM PATCH GHSA This Month

Traefik reverse proxy and load balancer versions prior to 2.11.42, 3.6.11, and 3.7.0-ea.3 allow authenticated attackers to inject canonical HTTP header names that override non-canonical headers configured via the `headerField` setting, enabling identity impersonation to backend systems. The vulnerability exploits HTTP header handling inconsistencies where backends read the attacker-supplied canonical header before Traefik's non-canonical configuration, permitting authentication bypass for any identity. Vendor-released patches are available for all affected major versions.

Authentication Bypass Canonical Traefik
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32695 Go MEDIUM PATCH This Month

Traefik's Knative provider fails to escape user-controlled values when interpolating host and header rules into backtick-delimited expressions, allowing attackers to inject rule syntax and bypass host restrictions in multi-tenant clusters. Versions prior to 3.6.11 and 3.7.0-ea.2 are affected. An attacker can craft malicious Knative ingress configurations to route traffic intended for one tenant to attacker-controlled hosts, enabling unauthorized cross-tenant traffic exposure and service impersonation.

Authentication Bypass Traefik
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-32595 Go LOW PATCH Monitor

Traefik's BasicAuth middleware contains a timing attack vulnerability that enables username enumeration through observable response time differences between valid and invalid usernames. An unauthenticated network attacker can distinguish existing usernames from non-existent ones by measuring response latency-valid usernames trigger ~166ms bcrypt operations while invalid usernames return in ~0.6ms, creating a ~298x timing differential. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1; patches are available in versions 2.11.41, 3.6.11, and 3.7.0-ea.2.

Information Disclosure Traefik
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-32305 Go HIGH PATCH This Week

Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to circumvent mutual TLS certificate requirements by sending fragmented TLS ClientHello packets. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.10, and 3.7.0-ea.1. When ClientHello messages are fragmented across multiple TLS records, SNI extraction fails with an EOF error, causing the TCP router to fall back to default TLS configuration without client certificate validation, enabling unauthorized access to services that should require mTLS authentication.

Authentication Bypass Traefik
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-29054 Go HIGH PATCH This Week

Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.

Information Disclosure Traefik
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26999 Go HIGH PATCH This Week

Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS records to TCP routers, which causes the TLS handshake process to hang indefinitely while holding connections open. An unauthenticated attacker can exploit this by opening many stalled connections in parallel to exhaust file descriptors and goroutines, degrading or disabling the proxy service.

Traefik Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26998 Go MEDIUM PATCH This Month

Traefik versions prior to 2.11.38 and 3.6.9 fail to limit memory allocation when processing ForwardAuth middleware responses, allowing a malicious or compromised authentication server to trigger unbounded memory consumption. An attacker controlling the auth server can return an arbitrarily large response body that causes the Traefik process to exhaust available memory and crash, resulting in denial of service for all proxied routes. A patch is available in the specified versions.

Denial Of Service Traefik Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-25949 Go HIGH PATCH GHSA This Week

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.

PostgreSQL Denial Of Service Traefik
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22045 Go MEDIUM PATCH This Month

Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.

Golang TLS Denial Of Service Traefik Red Hat +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-54386 Go HIGH PATCH This Month

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Privilege Escalation Denial Of Service RCE Path Traversal Traefik +2
NVD GitHub
CVSS 4.0
7.3
EPSS
0.9%
CVE-2025-47952 Go LOW PATCH Monitor

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Traefik
NVD GitHub
CVSS 4.0
2.9
EPSS
0.4%
CVE-2025-32431 Go HIGH PATCH This Week

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Traefik Suse
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2024-52003 Go MEDIUM PATCH This Month

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Traefik
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2024-39321 Go HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Traefik
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-28869 Go HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Traefik
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-47633 Go HIGH POC PATCH This Week

Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Docker Traefik
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-47124 Go MEDIUM PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Traefik
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2023-47106 Go MEDIUM POC PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Nginx Traefik
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-29013 Go HIGH PATCH This Week

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Traefik
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-46153 Go MEDIUM PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Traefik
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-23469 Go MEDIUM POC PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Traefik
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-39271 Go HIGH PATCH This Week

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Traefik
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-23632 Go HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Traefik Communications Unified Inventory Management
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-32813 Go HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Privilege Escalation Traefik
NVD GitHub
CVSS 3.1
8.1
EPSS
1.1%
CVE-2021-27375 MEDIUM PATCH This Month

Traefik before 2.4.5 allows the loading of IFRAME elements from other domains. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Traefik
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2020-15129 Go MEDIUM POC PATCH This Month

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required.

Open Redirect Traefik
NVD GitHub
CVSS 3.1
4.7
EPSS
8.0%
CVE-2020-9321 Go HIGH PATCH This Week

configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Traefik Traefik Enterprise
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2019-12452 Go HIGH POC PATCH This Week

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Information Disclosure Traefik
NVD GitHub
CVSS 3.0
7.5
EPSS
2.6%
CVE-2018-15598 Go HIGH PATCH This Week

Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Traefik
NVD GitHub
CVSS 3.0
7.5
EPSS
2.9%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker reaching a protected route smuggle an underscore-variant HTTP header past the BasicAuth, DigestAuth, and ForwardAuth middlewares' sanitization. Traefik strips canonical dashed spoofed headers before setting its own trusted value but ignores underscore forms (e.g. X_Forwarded_User vs X-Forwarded-User) that many backends normalize identically, so the forged header reaches the backend alongside — or, on the ForwardAuth authResponseHeaders path, instead of — Traefik's intended value. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a vendor fix and upstream commit are published.

Code Injection Canonical Traefik
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.

Authentication Bypass Kubernetes Traefik
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Header injection in Traefik's ForwardAuth middleware allows unauthenticated remote attackers to manipulate the X-Forwarded-Port value sent to authentication backends, enabling bypass of port-based authorization checks. Affected are all Traefik v2.x prior to v2.11.51, v3.6.x from 3.0.0 prior to v3.6.22, and v3.7.x from 3.7.0 prior to v3.7.6. The flaw persists even when the trustForwardHeader: false safeguard is active, because the port derivation logic reads the original incoming request rather than the sanitized forwarded context. No public exploit code has been identified at time of analysis, and vendor-released patches are available.

Authentication Bypass Traefik
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 /. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Traefik
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Traefik reverse proxy and load balancer versions prior to 2.11.42, 3.6.11, and 3.7.0-ea.3 allow authenticated attackers to inject canonical HTTP header names that override non-canonical headers configured via the `headerField` setting, enabling identity impersonation to backend systems. The vulnerability exploits HTTP header handling inconsistencies where backends read the attacker-supplied canonical header before Traefik's non-canonical configuration, permitting authentication bypass for any identity. Vendor-released patches are available for all affected major versions.

Authentication Bypass Canonical Traefik
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Traefik's Knative provider fails to escape user-controlled values when interpolating host and header rules into backtick-delimited expressions, allowing attackers to inject rule syntax and bypass host restrictions in multi-tenant clusters. Versions prior to 3.6.11 and 3.7.0-ea.2 are affected. An attacker can craft malicious Knative ingress configurations to route traffic intended for one tenant to attacker-controlled hosts, enabling unauthorized cross-tenant traffic exposure and service impersonation.

Authentication Bypass Traefik
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Traefik's BasicAuth middleware contains a timing attack vulnerability that enables username enumeration through observable response time differences between valid and invalid usernames. An unauthenticated network attacker can distinguish existing usernames from non-existent ones by measuring response latency-valid usernames trigger ~166ms bcrypt operations while invalid usernames return in ~0.6ms, creating a ~298x timing differential. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1; patches are available in versions 2.11.41, 3.6.11, and 3.7.0-ea.2.

Information Disclosure Traefik
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to circumvent mutual TLS certificate requirements by sending fragmented TLS ClientHello packets. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.10, and 3.7.0-ea.1. When ClientHello messages are fragmented across multiple TLS records, SNI extraction fails with an EOF error, causing the TCP router to fall back to default TLS configuration without client certificate validation, enabling unauthorized access to services that should require mTLS authentication.

Authentication Bypass Traefik
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.

Information Disclosure Traefik
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS records to TCP routers, which causes the TLS handshake process to hang indefinitely while holding connections open. An unauthenticated attacker can exploit this by opening many stalled connections in parallel to exhaust file descriptors and goroutines, degrading or disabling the proxy service.

Traefik Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Traefik versions prior to 2.11.38 and 3.6.9 fail to limit memory allocation when processing ForwardAuth middleware responses, allowing a malicious or compromised authentication server to trigger unbounded memory consumption. An attacker controlling the auth server can return an arbitrarily large response body that causes the Traefik process to exhaust available memory and crash, resulting in denial of service for all proxied routes. A patch is available in the specified versions.

Denial Of Service Traefik Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.

PostgreSQL Denial Of Service Traefik
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.

Golang TLS Denial Of Service +3
NVD GitHub
EPSS 1% CVSS 7.3
HIGH PATCH This Month

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Privilege Escalation Denial Of Service RCE +4
NVD GitHub
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Traefik
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Traefik Suse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Traefik
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Traefik
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Traefik
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Docker Traefik
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Traefik
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Nginx Traefik
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Traefik
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Traefik
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Traefik
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Traefik
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Traefik Communications Unified Inventory Management
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Privilege Escalation Traefik
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Traefik before 2.4.5 allows the loading of IFRAME elements from other domains. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Traefik
NVD GitHub
EPSS 8% CVSS 4.7
MEDIUM POC PATCH This Month

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required.

Open Redirect Traefik
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Traefik Traefik Enterprise
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Information Disclosure Traefik
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Traefik
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy