CVE-2026-54762
CVE-2026-54762 is a high-severity vulnerability in Traefik with a CVSS 3.x base score of 8.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-636.
Key facts
- Severity: High (CVSS 3.x base score 8.6)
- CVSS v4: 5.9
- EPSS exploit prediction: 0% (28th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38578
- Weakness: CWE-636
- Affected product: Traefik
- Published:
- Last modified:
Description
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.
Frequently asked questions
- What is CVE-2026-54762?
- Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.
- How severe is CVE-2026-54762?
- CVE-2026-54762 has a CVSS 3.x base score of 8.6, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-54762 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-54762?
- CVE-2026-54762 affects Traefik. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-54762?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-54762 have an EU (EUVD) identifier?
- Yes. CVE-2026-54762 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38578.
- When was CVE-2026-54762 published?
- CVE-2026-54762 was published on 2026-06-23 and last updated on 2026-06-26.
References
- https://github.com/traefik/traefik/releases/tag/v3.7.5
- https://github.com/traefik/traefik/security/advisories/GHSA-4mr2-fg2p-w63c
Affected products (1)
- cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
More vulnerabilities in Traefik
- CVE-2026-54763 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth,…
- CVE-2026-53622 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's…
- CVE-2026-48491 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in…
- CVE-2026-48020 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity…
- CVE-2026-39858 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high…
- CVE-2026-35051 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an…
Other CWE-636 vulnerabilities
- CVE-2026-22034 — Critical (CVSS 9.8): Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a…
- CVE-2024-3729 — Critical (CVSS 9.8): The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling…
- CVE-2026-40525 — Critical (CVSS 9.1): OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route…
- CVE-2024-43532 — High (CVSS 8.8): Remote Registry Service Elevation of Privilege Vulnerability
- CVE-2025-54870 — High (CVSS 8.7): VTun-ng is a Virtual Tunnel over TCP/IP network. In versions 3.0.17 and below, failure to initialize encryption modules…
- CVE-2023-4030 — High (CVSS 8.4): A vulnerability was reported in BIOS for ThinkPad P14s Gen 2, P15s Gen 2, T14 Gen 2, and T15 Gen 2 that could cause the…