rpm package
opensuse/traefik2&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweed
Vulnerabilities (50)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44774 | Cri | 9.9 | < 2.11.46-1.1 | 2.11.46-1.1 | May 15, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gat | |
| CVE-2026-41181 | Med | 5.8 | < 2.11.45-1.1 | 2.11.45-1.1 | May 15, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middle | |
| CVE-2026-41263 | Low | 3.7 | < 2.11.44-1.1 | 2.11.44-1.1 | Apr 30, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variab | |
| CVE-2026-41174 | Med | 6.4 | < 2.11.44-1.1 | 2.11.44-1.1 | Apr 30, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik co | |
| CVE-2026-40912 | Hig | 8.2 | < 2.11.44-1.1 | 2.11.44-1.1 | Apr 30, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The mi | |
| CVE-2026-39858 | Cri | 10.0 | < 2.11.44-1.1 | 2.11.44-1.1 | Apr 30, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic | |
| CVE-2026-35051 | Cri | 10.0 | < 2.11.44-1.1 | 2.11.44-1.1 | Apr 30, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream | |
| CVE-2026-34986 | Hig | 7.5 | < 2.11.44-1.1 | 2.11.44-1.1 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-32595 | — | < 2.11.42-1.1 | 2.11.42-1.1 | Mar 20, 2026 | Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt passwor | ||
| CVE-2026-32305 | — | < 2.11.42-1.1 | 2.11.42-1.1 | Mar 20, 2026 | Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across m | ||
| CVE-2026-29054 | — | < 2.11.40-1.1 | 2.11.40-1.1 | Mar 5, 2026 | Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put | ||
| CVE-2026-26999 | — | < 2.11.40-1.1 | 2.11.40-1.1 | Mar 5, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing | ||
| CVE-2026-26998 | — | < 2.11.40-1.1 | 2.11.40-1.1 | Mar 5, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentic | ||
| CVE-2026-22045 | — | < 2.11.35-1.1 | 2.11.35-1.1 | Jan 15, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors inde | ||
| CVE-2025-66490 | — | < 2.11.35-1.1 | 2.11.35-1.1 | Dec 9, 2025 | Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted chara | ||
| CVE-2025-58181 | — | < 2.11.35-1.1 | 2.11.35-1.1 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-46810 | Hig | — | < 2.11.29-2.1 | 2.11.29-2.1 | Sep 2, 2025 | A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root. This issue affects Tumbleweed: from ? before 2.11.29. | |
| CVE-2025-54386 | — | < 2.11.35-1.1 | 2.11.35-1.1 | Aug 1, 2025 | Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file path | ||
| CVE-2025-47952 | — | < 2.11.26-1.1 | 2.11.26-1.1 | May 30, 2025 | Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b | ||
| CVE-2025-32431 | — | < 2.11.26-1.1 | 2.11.26-1.1 | Apr 21, 2025 | Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the |
- affected < 2.11.46-1.1fixed 2.11.46-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gat
- affected < 2.11.45-1.1fixed 2.11.45-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middle
- affected < 2.11.44-1.1fixed 2.11.44-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variab
- affected < 2.11.44-1.1fixed 2.11.44-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik co
- affected < 2.11.44-1.1fixed 2.11.44-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The mi
- affected < 2.11.44-1.1fixed 2.11.44-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic
- affected < 2.11.44-1.1fixed 2.11.44-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream
- affected < 2.11.44-1.1fixed 2.11.44-1.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- CVE-2026-32595Mar 20, 2026affected < 2.11.42-1.1fixed 2.11.42-1.1
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt passwor
- CVE-2026-32305Mar 20, 2026affected < 2.11.42-1.1fixed 2.11.42-1.1
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across m
- CVE-2026-29054Mar 5, 2026affected < 2.11.40-1.1fixed 2.11.40-1.1
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put
- CVE-2026-26999Mar 5, 2026affected < 2.11.40-1.1fixed 2.11.40-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing
- CVE-2026-26998Mar 5, 2026affected < 2.11.40-1.1fixed 2.11.40-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentic
- CVE-2026-22045Jan 15, 2026affected < 2.11.35-1.1fixed 2.11.35-1.1
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors inde
- CVE-2025-66490Dec 9, 2025affected < 2.11.35-1.1fixed 2.11.35-1.1
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted chara
- CVE-2025-58181Nov 19, 2025affected < 2.11.35-1.1fixed 2.11.35-1.1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- affected < 2.11.29-2.1fixed 2.11.29-2.1
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root. This issue affects Tumbleweed: from ? before 2.11.29.
- CVE-2025-54386Aug 1, 2025affected < 2.11.35-1.1fixed 2.11.35-1.1
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file path
- CVE-2025-47952May 30, 2025affected < 2.11.26-1.1fixed 2.11.26-1.1
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b
- CVE-2025-32431Apr 21, 2025affected < 2.11.26-1.1fixed 2.11.26-1.1
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the
Page 1 of 3