Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN286
_____________________________________________________________________

DATE                : 11/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Traefik (Go) versions prior to
                                     2.11.40, 3.6.10.

=====================================================================
https://github.com/traefik/traefik/security/advisories/GHSA-4hjq-9h5c-252j
https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj
https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x
https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94
https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52
_____________________________________________________________________

HTTP/2 frames can cause a running server to panic
High
nmengin published GHSA-4hjq-9h5c-252j Mar 11, 2026

Package
Traefik (Go)

Affected versions
<= v2.11.39
<= v3.6.9

Patched versions
v2.11.40
v3.6.10


Description

Summary

More Details:

    https://nvd.nist.gov/vuln/detail/CVE-2026-27141
    https://pkg.go.dev/golang.org/x/net/http2?tab=versions

Patches

    https://github.com/traefik/traefik/releases/tag/v3.6.10
    https://github.com/traefik/traefik/releases/tag/v2.11.40

For more information

If you have any questions or comments about this advisory,
please open an issue.


Severity
High
7.7/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CVE ID
CVE-2026-27141

Weaknesses
Weakness CWE-476

Credits

    @WolverMinion WolverMinion Reporter
_____________________________________________________________________


Kubernetes gateway rule injection via unescaped backticks in
HTTPRoute match values

Moderate
nmengin published GHSA-8q2w-wr49-whqj Mar 11, 2026

Package
Traefik (Go)

Affected versions
<= v3.6.9

Patched versions
v3.6.10


Description

Summary

There is a potential vulnerability in Traefik's Kubernetes Gateway
provider related to rule injection.

A tenant with write access to an HTTPRoute resource can inject
backtick-delimited rule tokens into Traefik's router rule language
via unsanitized header or query parameter match values. In shared
gateway deployments, this can bypass listener hostname constraints
and redirect traffic for victim hostnames to attacker-controlled
backends.


Patches

    https://github.com/traefik/traefik/releases/tag/v3.6.10

For more information

If you have any questions or comments about this advisory, please
open an issue.


Original Description


Severity
Moderate
6.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CVE ID
CVE-2026-29777

Weaknesses
Weakness CWE-74

Credits

    @1seal 1seal Reporter

_____________________________________________________________________


ForwardAuth Middleware Allows Unbounded Response Body, Causing
Potential Denial of Service

Moderate
emilevauge published GHSA-fw45-f5q2-2p4x Mar 4, 2026

Package
Traefik (Go)

Affected versions
<= v2.11.37
<= v3.6.8

Patched versions
v2.11.38
v3.6.9


Description

Impact

There is a potential vulnerability in Traefik managing the
ForwardAuth middleware responses.

When Traefik is configured to use the ForwardAuth middleware, the
response body from the authentication server is read entirely into
memory without any size limit. There is no maxResponseBodySize
configuration to restrict the amount of data read from the
authentication server response. If the authentication server returns
an unexpectedly large or unbounded response body, Traefik will
allocate unlimited memory, potentially causing an out-of-memory (OOM)
condition that crashes the process.

This results in a denial of service for all routes served by the
affected Traefik instance.


Patches

    https://github.com/traefik/traefik/releases/tag/v2.11.38
    https://github.com/traefik/traefik/releases/tag/v3.6.9


Workarounds

No workaround available.


For more information

If you have any questions or comments about this advisory, please
open an issue.

Original Description


Severity
Moderate
4.4/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2026-26998

Weaknesses
Weakness CWE-770

Credits

    @sm1ee sm1ee Reporter

_____________________________________________________________________


TLS Handshake Error Handling Allows Stalled Connections on TCP
Routers
High
emilevauge published GHSA-xw98-5q62-jx94 Mar 4, 2026

Package
Traefik (Go)

Affected versions
<= v2.11.37
<= v3.6.8

Patched versions
v2.11.38
v3.6.9


Description

Impact

There is a potential vulnerability in Traefik managing TLS handshake on
TCP routers.

When Traefik processes a TLS connection on a TCP router, the read
deadline used to bound protocol sniffing is cleared before the TLS
handshake is completed. When a TLS handshake read error occurs, the
code attempts a second handshake with different connection
parameters, silently ignoring the initial error. A remote
unauthenticated client can exploit this by sending an incomplete TLS
record and stopping further data transmission, causing the TLS
handshake to stall indefinitely and holding connections open.

By opening many such stalled connections in parallel, an attacker
can exhaust file descriptors and goroutines, degrading
availability of all services on the affected entrypoint.


Patches

    https://github.com/traefik/traefik/releases/tag/v2.11.38
    https://github.com/traefik/traefik/releases/tag/v3.6.9

Workarounds

No workaround available.

For more information

If you have any questions or comments about this advisory, please
open an issue.


Original Description


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2026-26999

Weaknesses
Weakness CWE-400

Credits

    @1seal 1seal Reporter

_____________________________________________________________________


Case-Sensitive Bypass in Connection Header Allows Removal of
X-Forwarded Headers
High
emilevauge published GHSA-92mv-8f8w-wq52 Mar 4, 2026

Package
Traefik (Go)

Affected versions
>= v2.11.9, <= v2.11.37
>= v3.1.3, <= v3.6.8

Patched versions
v2.11.38
v3.6.9

Description

Impact

There is a potential vulnerability in Traefik managing the Connection
header with X-Forwarded headers.

When Traefik processes HTTP/1.1 requests, the protection put in place
to prevent the removal of Traefik-managed X-Forwarded headers (such
as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the
Connection header does not handle case sensitivity correctly. The
Connection tokens are compared case-sensitively against the protected
header names, but the actual header deletion operates
case-insensitively. As a result, a remote unauthenticated client can
use lowercase Connection tokens (e.g. Connection: x-real-ip) to
bypass the protection and trigger the removal of Traefik-managed
forwarded identity headers.

This is a bypass of the fix for CVE-2024-45410.

Depending on the deployment, the impact may be higher if downstream
services rely on these headers (such as X-Real-Ip or X-Forwarded-*)
for authentication, authorization, routing, or scheme decisions.


Patches

    https://github.com/traefik/traefik/releases/tag/v2.11.38
    https://github.com/traefik/traefik/releases/tag/v3.6.9


Workarounds

No workaround available.


For more information

If you have any questions or comments about this advisory,
please open an issue.

Original Description

Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE ID
CVE-2026-29054

Weaknesses
Weakness CWE-178

Credits

    @1seal 1seal Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================