Back to overview

CVE-2026-54762

MEDIUM
5.9
CVSS 4.0
Description
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.

Metadata

CVE ID
CVE-2026-54762
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 23:12 UTC
Published
2026-06-23 19:17 UTC
Last updated
2026-06-23 19:17 UTC
Primary CWE
CWE-636
CWE-636: Not Failing Securely ('Failing Open')
Vendor / Product
traefik / traefik
Sources
cve.org  ·  NVD

Severity & Metrics

5.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
traefik traefik >= 3.7.0-ea.1, < 3.7.5
Weakness (CWE)
CWESourceDescription
CWE-636 cna CWE-636: Not Failing Securely ('Failing Open')
CWE-693 cna CWE-693: Protection Mechanism Failure
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.9 MEDIUM 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
References (2)
Back to overview