CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

110 matches found

Traefik 2.11.x < 2.11.38 / 3.x < 3.6.9 Connection Header Bypass

The version of Traefik installed on the remote macOS host is 2.11.x prior to 2.11.38 or 3.x prior to 3.6.9. It is, therefore, affected by a vulnerability: - A flaw exists in HTTP/1.1 request handling due to case-sensitive comparison of Connection header tokens against protected header names. An...

7.5CVSS5.8AI score0.00014EPSS

Exploits0References4

CNNVD•added 2026/05/15 12:0 a.m.•4 views

Traefik 访问控制错误漏洞

Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. Versions prior to Traefik 2.11.46, 3.6.17, and 3.7.1 contained a access control vulnerability. This vulnerability stemmed from the Kubernetes Gateway API provider, which allowed tenants with permission to create...

9.9CVSS5.8AI score0.00016EPSS

Exploits1References1

Snyk•added 2026/05/13 3:29 p.m.•4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the handling of internal service references by the Gateway API provider. An attacker can gain unauthorized dynamic configuration write access by creating or updating an HTTPRoute that targets rest@internal, even...

9.9CVSS5.8AI score0.00016EPSS

Exploits1References2

ATTACKERKB•added 2026/04/30 8:39 p.m.•2 views

CVE-2026-41263

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to ho...

6.3CVSS5.3AI score0.00022EPSS

Exploits0References5Affected Software1

ATTACKERKB•added 2026/04/30 8:20 p.m.•1 views

CVE-2026-41174

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects...

4.8CVSS5.2AI score0.00013EPSS

Exploits1References6Affected Software1

Snyk•added 2026/04/24 8:12 p.m.•2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the createChainMiddleware function. Even when providers.kubernetesCRD.allowCrossNamespace=false is set, references in spec.chain.middlewares may be followed to access objects in other namespaces. A user with...

6.4CVSS5.3AI score0.00013EPSS

Exploits1References2

Snyk•added 2026/04/24 8:12 p.m.•3 views

Incorrect Authorization

6.4CVSS5.3AI score0.00013EPSS

Exploits1References2

Snyk•added 2026/04/24 4:37 p.m.•2 views

Use of Incorrectly-Resolved Name or Reference

Overview Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in StripPrefixRegex, when used together with ForwardAuth, BasicAuth, or DigestAuth. An attacker can gain unauthorized access to protected backend resources by sending requests with...

9.1CVSS5.5AI score0.00098EPSS

Exploits1References2

Snyk•added 2026/04/24 4:32 p.m.•2 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the ServeHTTP function, which does not sufficiently sanitize X- alias headers. An attacker can gain unauthenticated access to protected endpoints by injecting spoofed trust context with...

10CVSS5.5AI score0.00088EPSS

Exploits1References2

Github Security Blog•added 2026/04/24 4:32 p.m.•6 views

Traefik: Pre-authentication decision bypass due to forwarded alias spoofing

Summary There is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names e.g., X-Forwarded-Proto and does not strip or normalize alias variants that...

10CVSS5.5AI score0.00088EPSS

Exploits1References6Affected Software3

Snyk•added 2026/04/24 4:32 p.m.•3 views

Missing Authentication for Critical Function

10CVSS5.5AI score0.00088EPSS

Exploits1References2

Snyk•added 2026/04/24 4:31 p.m.•1 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth middleware when trustForwardHeader is set to false and the deployment is behind a trusted upstream proxy. An attacker can gain unauthorized access to protected backend...

10CVSS5.5AI score0.00025EPSS

Exploits1References2