CVE-2026-48020
Modified Modified - Updated After Analysis

Path Traversal in Traefik StripPrefix Middleware

Vulnerability report for CVE-2026-48020, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths β€” such as admin or internal configuration endpoints β€” without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-30
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
traefik traefik to 2.11.48 (exc)
traefik traefik From 3.0.0 (inc) to 3.6.19 (exc)
traefik traefik From 3.7.0 (inc) to 3.7.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48020 is a high-severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization.

The issue arises when a public router uses a PathPrefix rule combined with the StripPrefix middleware. If a request path contains ".." or its percent-encoded form "%2e%2e", the request initially matches the public route during routing. However, after the prefix is stripped and the path is normalized, the request resolves to a path served by a separate, authenticated router.

This means an attacker can access protected backend paths such as admin or internal configuration endpoints without passing the authentication middleware intended to protect those routes.

The root cause is the path normalization process after prefix stripping, which modifies the request path in a way that bypasses intended routing rules.

This vulnerability affects Traefik versions up to v2.11.46, v3.6.17, and v3.7.1 and has been fixed in versions v2.11.48, v3.6.19, and v3.7.3.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to bypass authentication and authorization controls on protected routes.

As a result, attackers can access sensitive backend paths such as admin interfaces, internal configuration endpoints, secrets, or management functionality that should be protected.

In some cases, if the backend exposes execution primitives, this unauthorized access could lead to conditional remote code execution.

Detection Guidance

This vulnerability can be detected by testing if requests containing ".." or its percent-encoded form "%2e%2e" in the path can bypass route-level authentication and authorization in Traefik's StripPrefix middleware.

Specifically, you can attempt to send HTTP requests to public routes that use PathPrefix rules with StripPrefix middleware, including paths like /api/.. or /api/%2e%2e, and observe if you can access protected backend paths such as /admin or /internal/config without authentication.

Example curl command to test this might be:

  • curl -i http://your-traefik-host/api/../admin
  • curl -i http://your-traefik-host/api/%2e%2e/admin

If these requests return responses from protected endpoints without authentication, the system is vulnerable.

Mitigation Strategies

The primary mitigation is to upgrade Traefik to a fixed version: v2.11.48, v3.6.19, or v3.7.3, where this vulnerability has been patched.

If upgrading immediately is not possible, you should apply stricter routing rules to avoid the bypass. Specifically, use stricter prefix boundaries such as PathRegexp(`^/api(/|$)`) or PathPrefix(`/api/`) combined with StripPrefix(`/api/`) middleware to prevent path normalization from allowing unauthorized access.

Additionally, review and audit your routing and middleware configurations to ensure that no public routes can be manipulated to access protected backend paths.

Compliance Impact

The vulnerability in Traefik's StripPrefix middleware allows unauthenticated attackers to bypass route-level authentication and authorization, potentially accessing protected backend paths such as admin or internal configuration endpoints.

This unauthorized access to protected resources could lead to exposure of sensitive data or management functionality, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and protection of sensitive information.

If exploited, the vulnerability could result in unauthorized data access or modification, thereby violating requirements for data confidentiality and integrity mandated by such regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart