rpm package

opensuse/traefik&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed

Vulnerabilities (52)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44774	Cri	9.9	< 3.6.17-1.1	3.6.17-1.1	May 15, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gat
CVE-2026-41181	Med	5.8	< 3.6.16-1.1	3.6.16-1.1	May 15, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middle
CVE-2026-41263	Low	3.7	< 3.6.15-1.1	3.6.15-1.1	Apr 30, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variab
CVE-2026-41174	Med	6.4	< 3.6.15-1.1	3.6.15-1.1	Apr 30, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik co
CVE-2026-40912	Hig	8.2	< 3.6.15-1.1	3.6.15-1.1	Apr 30, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The mi
CVE-2026-39858	Cri	10.0	< 3.6.15-1.1	3.6.15-1.1	Apr 30, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic
CVE-2026-35051	Cri	10.0	< 3.6.15-1.1	3.6.15-1.1	Apr 30, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream
CVE-2026-34986	Hig	7.5	< 3.6.15-1.1	3.6.15-1.1	Apr 6, 2026	Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-32695	Hig	7.7	< 3.6.12-1.1	3.6.12-1.1	Mar 27, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rule
CVE-2026-32595		—	< 3.6.12-1.1	3.6.12-1.1	Mar 20, 2026	Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt passwor
CVE-2026-32305		—	< 3.6.12-1.1	3.6.12-1.1	Mar 20, 2026	Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across m
CVE-2026-29777		—	< 3.6.10-2.1	3.6.10-2.1	Mar 11, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deploym
CVE-2026-29054		—	< 3.6.10-1.1	3.6.10-1.1	Mar 5, 2026	Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put
CVE-2026-26999		—	< 3.6.10-1.1	3.6.10-1.1	Mar 5, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing
CVE-2026-26998		—	< 3.6.10-1.1	3.6.10-1.1	Mar 5, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentic
CVE-2026-27141	Hig	7.5	< 3.6.10-2.1	3.6.10-2.1	Feb 26, 2026	Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVE-2026-25949		—	< 3.6.8-1.1	3.6.8-1.1	Feb 12, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS
CVE-2026-22045		—	< 3.6.7-1.1	3.6.7-1.1	Jan 15, 2026	Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors inde
CVE-2025-66491		—	< 3.6.6-1.1	3.6.6-1.1	Dec 9, 2025	Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually
CVE-2025-66490		—	< 3.6.6-1.1	3.6.6-1.1	Dec 9, 2025	Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted chara

CVE-2026-44774CriMay 15, 2026
affected < 3.6.17-1.1fixed 3.6.17-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gat
CVE-2026-41181MedMay 15, 2026
affected < 3.6.16-1.1fixed 3.6.16-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middle
CVE-2026-41263LowApr 30, 2026
affected < 3.6.15-1.1fixed 3.6.15-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variab
CVE-2026-41174MedApr 30, 2026
affected < 3.6.15-1.1fixed 3.6.15-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik co
CVE-2026-40912HigApr 30, 2026
affected < 3.6.15-1.1fixed 3.6.15-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The mi
CVE-2026-39858CriApr 30, 2026
affected < 3.6.15-1.1fixed 3.6.15-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic
CVE-2026-35051CriApr 30, 2026
affected < 3.6.15-1.1fixed 3.6.15-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream
CVE-2026-34986HigApr 6, 2026
affected < 3.6.15-1.1fixed 3.6.15-1.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-32695HigMar 27, 2026
affected < 3.6.12-1.1fixed 3.6.12-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rule
CVE-2026-32595Mar 20, 2026
affected < 3.6.12-1.1fixed 3.6.12-1.1
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt passwor
CVE-2026-32305Mar 20, 2026
affected < 3.6.12-1.1fixed 3.6.12-1.1
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across m
CVE-2026-29777Mar 11, 2026
affected < 3.6.10-2.1fixed 3.6.10-2.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deploym
CVE-2026-29054Mar 5, 2026
affected < 3.6.10-1.1fixed 3.6.10-1.1
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put
CVE-2026-26999Mar 5, 2026
affected < 3.6.10-1.1fixed 3.6.10-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing
CVE-2026-26998Mar 5, 2026
affected < 3.6.10-1.1fixed 3.6.10-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentic
CVE-2026-27141HigFeb 26, 2026
affected < 3.6.10-2.1fixed 3.6.10-2.1
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVE-2026-25949Feb 12, 2026
affected < 3.6.8-1.1fixed 3.6.8-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS
CVE-2026-22045Jan 15, 2026
affected < 3.6.7-1.1fixed 3.6.7-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors inde
CVE-2025-66491Dec 9, 2025
affected < 3.6.6-1.1fixed 3.6.6-1.1
Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually
CVE-2025-66490Dec 9, 2025
affected < 3.6.6-1.1fixed 3.6.6-1.1
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted chara

Page 1 of 3