High severity7.8GHSA Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization

CVE-2026-48020

Description

Traefik's StripPrefix middleware allows unauthenticated attackers to bypass route-level authentication by using path traversal sequences (.. or %2e%2e) to reach protected backend paths.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Traefik's StripPrefix middleware allows unauthenticated attackers to bypass route-level authentication by using path traversal sequences (`..` or `%2e%2e`) to reach protected backend paths.

Vulnerability

The vulnerability resides in Traefik's StripPrefix middleware when used in conjunction with PathPrefix routing rules. A request containing .. or its percent-encoded form %2e%2e can match a public router's PathPrefix rule at routing time. After StripPrefix removes the prefix, the path is normalized, potentially resolving to a path that should be served by a separate, authenticated router. This affects Traefik versions v2.11.46, v3.6.17, and v3.7.1 (and likely earlier versions in those branches) [1][2]. The issue is distinct from previously disclosed StripPrefixRegex path-normalization problems [2].

Exploitation

An unauthenticated attacker can craft a request such as /api../admin to a public router that matches PathPrefix(/api) and applies StripPrefix to remove /api. The path ../admin is normalized to /admin, which is then forwarded to the backend without passing through the authentication middleware attached to the protected router for /admin [1][2]. No authentication or special privileges are required; the attacker only needs network access to the Traefik instance.

Impact

Successful exploitation allows an attacker to reach protected backend paths—such as /admin or /internal/config—without satisfying the authentication or authorization middleware intended to guard them [1][2]. This can lead to unauthorized access to sensitive administrative interfaces or internal configuration endpoints, potentially resulting in information disclosure or further compromise of the backend services.

Mitigation

The vulnerability is fixed in Traefik releases v2.11.48, v3.6.19, and v3.7.3 [3][4]. Users should upgrade to these versions or later. No workaround is documented; the fix involves rejecting requests where the path after StripPrefix normalization differs from the original path [3][4].

References

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Traefik/TraefikGHSA
Range: >= 3.7.0-ea.1, < 3.7.3

Patches

5ea71f1c3af0

Prepare release v3.7.3

https://github.com/traefik/traefikRomainJun 4, 2026Fixed in 3.7.3via release-tag

commit

3 files changed · +15 −9

CHANGELOG.md+8 −2 modified

@@ -1,7 +1,8 @@
-## [v3.7.2](https://github.com/traefik/traefik/tree/v3.7.2) (2026-06-03)
-[All Commits](https://github.com/traefik/traefik/compare/v3.7.1...v3.7.2)
+## [v3.7.3](https://github.com/traefik/traefik/tree/v3.7.3) (2026-06-04)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.1...v3.7.3)
 
 **Bug fixes:**
+- **[tls]** Compute resolved tlsOptions after applying models ([#13291](https://github.com/traefik/traefik/pull/13291) @rtribotte)
 - **[webui, tcp]** Fix TCP router service resolution in dashboard flow diagram ([#13155](https://github.com/traefik/traefik/pull/13155) @aliamerj)
 - **[k8s/ingress-nginx]** Trim quotes from proxy_set_header header name ([#13203](https://github.com/traefik/traefik/pull/13203) @crisbal)
 - **[accesslogs]** Escape double quotes in quoted log fields ([#13180](https://github.com/traefik/traefik/pull/13180) @KaanSimsek)
@@ -70,6 +71,11 @@
 - **[middleware]** Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation ([#13215](https://github.com/traefik/traefik/pull/13215) @rtribotte)
 - **[server]** Bump golang.org/x/net to v0.55.0 ([#13251](https://github.com/traefik/traefik/pull/13251) @kevinpollet)
 - **[server]** Bump golang.org/x/crypto to v0.52.0 ([#13276](https://github.com/traefik/traefik/pull/13276) @rtribotte)
+- 
+## [v3.7.2](https://github.com/traefik/traefik/tree/v3.7.2) (2026-06-03)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.1...v3.7.2)
+
+Release canceled.
 
 ## [v3.6.18](https://github.com/traefik/traefik/tree/v3.6.18) (2026-06-03)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.17...v3.6.18)

docs/content/migrate/v3.md+4 −4 modified

@@ -9,11 +9,11 @@ This guide provides detailed migration steps for upgrading between different Tra
 
 ---
 
-## v3.7.2
+## v3.7.3
 
 ### Kubernetes Gateway API Provider
 
-Starting with `v3.7.2`, the QPS and Burst values of the Kubernetes client used by the Kubernetes Gateway API provider have been increased to `50` and `100` respectively (10x the default values of the Kubernetes client).
+Starting with `v3.7.3`, the QPS and Burst values of the Kubernetes client used by the Kubernetes Gateway API provider have been increased to `50` and `100` respectively (10x the default values of the Kubernetes client).
 
 The Kubernetes Gateway API provider writes status updates intensively to comply with the Kubernetes Gateway API specification.
 This change helps avoid performance issues related to Kubernetes API rate limiting, which can increase the setup time when a new routing configuration is built.
@@ -23,13 +23,13 @@ and [`kubernetesGateway.burst`](../reference/install-configuration/providers/kub
 
 ### BasicAuth Middleware
 
-From version `v3.7.2` onwards, the BasicAuth middleware requires a non-empty users configuration in order to be built successfully.
+From version `v3.7.3` onwards, the BasicAuth middleware requires a non-empty users configuration in order to be built successfully.
 Previously, the middleware would be built successfully but always return a 401 status code for any request.
 Now, an error occurs and any routers using it will be unmounted. For the same request, a 404 status code is served instead of a 401 status code.
 
 ### StripPrefix and StripPrefixRegex Middleware
 
-From version `v3.7.2` onwards, the StripPrefix middleware and the StripPrefixRegex middleware reject requests (`400 Bad Request`)
+From version `v3.7.3` onwards, the StripPrefix middleware and the StripPrefixRegex middleware reject requests (`400 Bad Request`)
 when stripping the configured prefix produces a path that differs from its normalised form
 (i.e. a path containing `.` or `..` segments that would be collapsed by normalisation).

script/gcg/traefik-bugfix.toml+3 −3 modified

@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example new bugfix v3.7.2
+# example new bugfix v3.7.3
 CurrentRef = "v3.7"
-PreviousRef = "v3.7.1"
+PreviousRef = "v3.7.2"
 BaseBranch = "v3.7"
-FutureCurrentRefName = "v3.7.2"
+FutureCurrentRefName = "v3.7.3"
 
 ThresholdPreviousRef = 10000
 ThresholdCurrentRef = 10000

Vulnerability mechanics

Root cause

"The StripPrefix middleware normalizes the path after stripping the prefix, allowing `..` or `%2e%2e` sequences to resolve to protected paths that were not matched at routing time."

Attack vector

An unauthenticated attacker sends an HTTP request containing `..` or its percent-encoded form `%2e%2e` in the path, such as `/api../admin`. At routing time, the path matches a public `PathPrefix` rule (e.g., `PathPrefix(\`/api\`)`) and is routed through the `StripPrefix` middleware without authentication. After the prefix is stripped, the path is normalized via `JoinPath()`, resolving the `..` to a protected path like `/admin`. The backend receives the normalized protected path, and the attacker gains access to resources that should have been guarded by the protected router's authentication middleware [ref_id=1][ref_id=2].

Affected code

The vulnerability resides in Traefik's `StripPrefix` middleware. When a public router uses a `PathPrefix` rule and applies `StripPrefix`, the middleware strips the prefix and then calls `req.URL.JoinPath()` to normalize the path. This normalization resolves `..` or `%2e%2e` sequences after routing decisions have already been made, allowing a request to match a public route at routing time but reach a protected backend path after normalization. The patch is in commit `5ea71f1c3af049067a0b6d5afd97bad1cf1a0071` [patch_id=5595009].

What the fix does

The patch [patch_id=5595009] addresses the vulnerability by ensuring that path normalization (resolving `..` sequences) occurs before routing decisions are finalized, or by preventing the `StripPrefix` middleware from producing a path that escapes the intended prefix boundary. The advisory does not show the exact diff, but the fix closes the gap where `JoinPath()` was called after prefix stripping, allowing `..` to traverse upward. Operators can also mitigate the issue by using `PathRegexp(\`^/api(/|$)\`)` or `PathPrefix(\`/api/\`)` with `StripPrefix(\`/api/\`)` as a stricter configuration pattern [ref_id=1][ref_id=2].

Preconditions

configA public router must use a PathPrefix rule combined with the StripPrefix middleware
configA separate protected router must guard paths that overlap with the stripped prefix after normalization
authNo authentication middleware is applied to the public router
networkAttacker must be able to send HTTP requests to the Traefik entrypoint
inputThe request path must contain `..` or `%2e%2e` sequences that, after stripping and normalization, resolve to a protected path

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000