CVE-2026-41174
Received Received - Intake
Middleware Bypass in Traefik Kubernetes CRD Provider

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41174
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
traefik traefik 3.7.0
traefik traefik 3.7.0
traefik traefik to 2.11.43 (exc)
traefik traefik From 3.0.0 (inc) to 3.6.14 (exc)
traefik traefik 3.7.0
traefik traefik 3.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-653 The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade Traefik to one of the patched versions: 2.11.43, 3.6.14, or 3.7.0-rc.2.

Ensure that the configuration setting providers.kubernetesCRD.allowCrossNamespace is set to false to enforce cross-namespace isolation.

Executive Summary

This vulnerability exists in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When the setting providers.kubernetesCRD.allowCrossNamespace is set to false, Traefik correctly blocks direct cross-namespace middleware references from IngressRoute objects. However, it fails to enforce this restriction on middleware references that are nested inside a Chain middleware's spec.chain.middlewares[].

As a result, an actor who has permission to create or update Traefik CRDs in their own namespace can exploit this flaw to cause Traefik to resolve and apply middleware objects from another namespace, effectively bypassing the intended isolation boundary.

This issue was fixed in Traefik versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Impact Analysis

This vulnerability can allow an attacker with limited permissions in one namespace to bypass namespace isolation and apply middleware configurations from another namespace. This could lead to unauthorized modification of traffic routing or processing behavior in Traefik, potentially impacting the security and stability of services running in other namespaces.

Compliance Impact

This vulnerability allows unauthorized cross-namespace middleware binding in Traefik's Kubernetes CRD provider, potentially enabling an attacker with limited permissions to apply middleware from another namespace. Such unauthorized access and policy bypass could lead to improper enforcement of security controls and data handling policies.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to bypass namespace isolation and apply middleware across namespaces could undermine data segregation and access controls required by these regulations.

Therefore, organizations relying on Traefik for Kubernetes ingress and middleware enforcement should consider this vulnerability as a risk to maintaining strict isolation and control over data and processing flows, which are critical for compliance with regulations that mandate data protection and access restrictions.

Detection Guidance

This vulnerability involves Traefik's Kubernetes CRD provider incorrectly allowing cross-namespace middleware references inside Chain middlewares when the allowCrossNamespace setting is false.

To detect this vulnerability on your system, you should check your Traefik version to see if it is prior to the patched versions (2.11.43, 3.6.14, or 3.7.0-rc.2).

Additionally, inspect your Kubernetes CRD configurations for Chain middlewares that reference middlewares in other namespaces despite allowCrossNamespace being set to false.

  • Use kubectl commands to list Chain middlewares and check their nested middleware references for cross-namespace usage, for example:
  • kubectl get middlewares -A -o yaml | grep -B 5 -A 5 'chain:'
  • Look specifically for entries under spec.chain.middlewares[].namespace that differ from the namespace of the Chain middleware itself.
  • Check Traefik logs for errors related to cross-namespace middleware references if allowCrossNamespace is false, as patched versions log such errors.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart