VYPR

rpm package

opensuse/traefik&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed

Vulnerabilities (55)

  • CVE-2026-53622higJun 16, 2026
    affected < 3.7.5-1.1fixed 3.7.5-1.1

    ## Summary There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration

  • CVE-2026-48491higJun 16, 2026
    affected < 3.7.5-1.1fixed 3.7.5-1.1

    ## Summary There is a high severity vulnerability in Traefik's domain-fronting protection (`SNICheck`) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router `TLSOptions`. When a router uses a wildcard host rule such as `Host(`*.example.com`)

  • CVE-2026-48020higJun 11, 2026
    affected < 3.7.5-1.1fixed 3.7.5-1.1

    ## Summary There is a high severity vulnerability in Traefik's `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a

  • CVE-2026-44774CriMay 15, 2026
    affected < 3.6.17-1.1fixed 3.6.17-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gat

  • CVE-2026-41181MedMay 15, 2026
    affected < 3.6.16-1.1fixed 3.6.16-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middle

  • CVE-2026-41263LowApr 30, 2026
    affected < 3.6.15-1.1fixed 3.6.15-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variab

  • CVE-2026-41174MedApr 30, 2026
    affected < 3.6.15-1.1fixed 3.6.15-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik co

  • CVE-2026-40912HigApr 30, 2026
    affected < 3.6.15-1.1fixed 3.6.15-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The mi

  • CVE-2026-39858CriApr 30, 2026
    affected < 3.6.15-1.1fixed 3.6.15-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic

  • CVE-2026-35051CriApr 30, 2026
    affected < 3.6.15-1.1fixed 3.6.15-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream

  • CVE-2026-34986HigApr 6, 2026
    affected < 3.6.15-1.1fixed 3.6.15-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-32695HigMar 27, 2026
    affected < 3.6.12-1.1fixed 3.6.12-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rule

  • CVE-2026-32595Mar 20, 2026
    affected < 3.6.12-1.1fixed 3.6.12-1.1

    Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt passwor

  • CVE-2026-32305Mar 20, 2026
    affected < 3.6.12-1.1fixed 3.6.12-1.1

    Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across m

  • CVE-2026-29777Mar 11, 2026
    affected < 3.6.10-2.1fixed 3.6.10-2.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deploym

  • CVE-2026-29054Mar 5, 2026
    affected < 3.6.10-1.1fixed 3.6.10-1.1

    Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put

  • CVE-2026-26999Mar 5, 2026
    affected < 3.6.10-1.1fixed 3.6.10-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing

  • CVE-2026-26998Mar 5, 2026
    affected < 3.6.10-1.1fixed 3.6.10-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentic

  • CVE-2026-27141HigFeb 26, 2026
    affected < 3.6.10-2.1fixed 3.6.10-2.1

    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

  • CVE-2026-25949Feb 12, 2026
    affected < 3.6.8-1.1fixed 3.6.8-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS

Page 1 of 3