Back to overview

CVE-2026-54761

MEDIUM
6.0
CVSS 4.0
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5.

Metadata

CVE ID
CVE-2026-54761
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 23:12 UTC
Published
2026-06-23 19:15 UTC
Last updated
2026-06-23 19:15 UTC
Primary CWE
CWE-284
CWE-284: Improper Access Control
Vendor / Product
traefik / traefik
Sources
cve.org  ·  NVD

Severity & Metrics

6.0 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
traefik traefik < 3.6.21, >= 3.7.0-ea.1, < 3.7.5
Weakness (CWE)
CWESourceDescription
CWE-284 cna CWE-284: Improper Access Control
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.0 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References (3)
Back to overview