Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN426 _____________________________________________________________________ DATE : 24/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Traefik versions prior to 2.11.43, 3.6.14, 3.7.0-rc.2. ===================================================================== https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54 https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h https://github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq _____________________________________________________________________ Forwarded alias spoofing top pre-auth decision bypass High nmengin published GHSA-5m6w-wvh7-57vm Apr 24, 2026 Package Traefik (Go) Affected versions <= v2.11.42, <= v3.6.13, <= v3.7.0-rc.1 Patched versions v2.11.43, v3.6.14, v3.7.0-rc.2 Description Summary There is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. Patches https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 For more information If you have any questions or comments about this advisory, please open an issue. Original Description Severity High 7.8/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity Low Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N CVE ID CVE-2026-39858 Weaknesses Weakness CWE-290 Weakness CWE-306 Credits @fancymalware fancymalware Reporter _____________________________________________________________________ ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth High nmengin published GHSA-6384-m2mw-rf54 Apr 24, 2026 Package Traefik (Go) Affected versions <= v2.11.42, <= v3.6.13, <= v3.7.0-rc.1 Patched versions v2.11.43, v3.6.14, v3.7.0-rc.2 Description Summary There is a high-severity authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. While X-Forwarded-* headers (such as X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto) from trusted context are correctly rebuilt, it does not strip or rebuild X-Forwarded-Prefix, leaving any attacker-supplied value intact in the subrequest forwarded to the authentication service. When the authentication service makes authorization decisions based on X-Forwarded-Prefix, an external attacker can spoof a trusted prefix value and gain unauthorized access to protected backend routes. Patches https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 For more information If you have any questions or comments about this advisory, please open an issue. Original Description Severity High / 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity Low Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N CVE ID CVE-2026-35051 Weaknesses Weakness CWE-345 Credits @Zwique Zwique Reporter _____________________________________________________________________ BasicAuth middleware: timing side-channel vulnerability Moderate nmengin published GHSA-6x2q-h3cr-8j2h Apr 24, 2026 Package Traefik (Go) Affected versions <= v2.11.42, <= v3.6.13, <= v3.7.0-rc.1 Patched versions v2.11.43, v3.6.14, v3.7.0-rc.2 Description Summary There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. Patches https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 For more information If you have any questions or comments about this advisory, please open an issue. Original Description Severity Moderate 6.3/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity High Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality Low Integrity None Availability None CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVE ID CVE-2026-41263 Weaknesses Weakness CWE-208 Credits @kodareef5 kodareef5 _____________________________________________________________________ Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding Moderate nmengin published GHSA-xhjw-95fp-8vgq Apr 24, 2026 Package Traefik (Go) Affected versions <= v2.11.42, <= v3.6.13, <= v3.7.0-rc.1 Patched versions v2.11.43, v3.6.14, v3.7.0-rc.2 Description Summary There is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. Patches https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 For more information If you have any questions or comments about this advisory, please open an issue. Original Description Severity Moderate 4.8/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Local Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality Low Integrity Low Availability None CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVE ID CVE-2026-41174 Weaknesses No CWEs Credits @tamemghq tamemghq ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================