CVE-2026-54765 in Traefikinfo

Summary

by MITRE • 07/07/2026

Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability resides within Traefik's Kubernetes Gateway API provider implementation where a critical misconfiguration occurs when multiple HTTPRoutes target the same backend service and port combination but apply different backendRef filters. This flaw specifically affects versions between v3.7.0 and v3.7.5, creating a scenario where the system resolves conflicting route configurations incorrectly. The core issue manifests when two distinct routes reference identical backend services while maintaining separate filter sets designed to inject security-sensitive headers such as tenant identity, authorization context, or trust-based values that the backend service relies upon for access control decisions.

From a technical perspective, this represents a configuration resolution failure that violates fundamental principles of network security isolation. The system fails to properly distinguish between different filter contexts applied to the same backend endpoint, resulting in a scenario where only one route's filter set gets applied universally to all requests reaching that specific service:port combination. This creates an unintended information flow where sensitive header values from one route's filter configuration can be inadvertently applied to requests intended for a different route, effectively bypassing the security controls that were specifically designed to maintain separation between distinct routing contexts.

The operational impact of this vulnerability extends beyond simple misconfiguration to represent a potential security breach in multi-tenant environments. When ReferenceGrants permit cross-namespace targeting, an attacker can exploit this flaw by creating an accepted HTTPRoute that shares the same backend Service:port as another legitimate route. This allows for unauthorized header injection across namespace boundaries, potentially enabling privilege escalation or data leakage between different tenant contexts. The vulnerability essentially creates a race condition where filter configurations are not properly isolated based on their originating routes, undermining the security model that should maintain separation between distinct routing policies.

This issue maps directly to CWE-284 (Improper Access Control) and CWE-352 (Cross-Site Request Forgery) categories within the Common Weakness Enumeration framework, as it represents a failure in access control mechanisms that should prevent unauthorized configuration application. The vulnerability also aligns with ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and T1566.002 (Phishing: Spearphishing Attachment) when considering how an attacker might leverage this misconfiguration to gain unauthorized access through manipulated security headers that the backend service trusts.

The recommended mitigation strategy involves immediate upgrading to Traefik version 3.7.6 or later, which contains the necessary fixes to properly isolate filter configurations for different routes targeting the same backend endpoint. Organizations should also implement additional monitoring of Gateway API route configurations and conduct thorough reviews of ReferenceGrant policies to minimize cross-namespace access where possible. Security teams should validate that their current deployments are not vulnerable by checking for instances where multiple HTTPRoutes might target identical service:port combinations with differing filter sets, ensuring proper isolation of security contexts through configuration audits and access control reviews that align with the principle of least privilege enforcement.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!