Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN343 _____________________________________________________________________ DATE : 30/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Traefik (Go) versions prior to 2.11.42, 3.6.12, 3.7.0-ea.3. ===================================================================== https://github.com/traefik/traefik/security/advisories/GHSA-46wh-3698-f2cx https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj _____________________________________________________________________ Fix CVE-2026-33186 High nmengin published GHSA-46wh-3698-f2cx Mar 27, 2026 Package Traefik (Go) Affected versions <= v2.11.41, <= v3.6.11, <= v3.7.0-ea.2 Patched versions v2.11.42, v3.6.12, v3.7.0-ea.3 Description Summary There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186). A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 :path pseudo-header omitting the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match "deny" rules, allowing the request to bypass the policy entirely if a fallback "allow" rule is present. Patches https://github.com/traefik/traefik/releases/tag/v2.11.42 https://github.com/traefik/traefik/releases/tag/v3.6.12 https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3 For more information If you have any questions or comments about this advisory, please open an issue. Original Description Summary This CVE hits traefik until Version 3.6.11 and 2.11.41. gRPC-Go has an authorization bypass via missing leading slash in :path Details As described in GHSA-p77j-4mvh-x3m3 PoC Update library version in traefik/go.mod Line 108 in 67c64ed google.golang.org/grpc v1.79.1 Impact Is described in GHSA-p77j-4mvh-x3m3 Severity High 7.8/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity High Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVE ID CVE-2026-33186 Weaknesses Weakness CWE-285 _____________________________________________________________________ BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField Moderate nmengin published GHSA-qr99-7898-vr7c Mar 27, 2026 Package Traefik (Go) Affected versions <= v2.11.41, <= v3.6.11, <= v3.7.0-ea.2 Patched versions v2.11.42, v3.6.12, v3.7.0-ea.3 Description Summary There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when headerField is configured with a non-canonical HTTP header name. An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker's canonical one — causing most backend frameworks to read the attacker-controlled value instead. Patches https://github.com/traefik/traefik/releases/tag/v2.11.42 https://github.com/traefik/traefik/releases/tag/v3.6.12 https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3 For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues). Original Description Severity Moderate 5.1/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity High Attack Requirements Present Privileges Required High User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity High Availability None CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVE ID CVE-2026-33433 Weaknesses Weakness CWE-290 Credits @0xVijay 0xVijay Reporter _____________________________________________________________________ Ingress Rule Injection Allows Host Restriction Bypass in Traefik Moderate nmengin published GHSA-67jx-r9pv-98rj Mar 27, 2026 Package github.com/traefik/traefik (Go) Affected versions <= v3.6.10, <= v3.7.0-ea.1 Patched versions v3.6.11, v3.7.0-ea.2 Description Summary There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection. User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backtick can terminate the literal and inject additional operators into Traefik's rule language, altering the parsed rule tree. In shared or multi-tenant deployments, this can bypass host and header routing constraints and redirect unauthorized traffic to victim services. Patches https://github.com/traefik/traefik/releases/tag/v3.6.11 https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2 For more information If you have any questions or comments about this advisory, please open an issue. Original Description Severity Moderate 6.3/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVE ID CVE-2026-32695 Weaknesses Weakness CWE-74 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================