CVE-2026-54761
Received Received - Intake
Traefik Kubernetes Gateway HTTPRoute Namespace Bypass

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54761
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
traefik traefik to 3.6.21 (inc)
traefik traefik to 3.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54761 is a vulnerability in Traefik's Kubernetes Gateway provider related to how it handles cross-provider namespace allowlists. Specifically, when an HTTPRoute declares multiple backendRefs using Weighted Round Robin (WRR), Traefik incorrectly checks the allowlist against the backendRef's namespace instead of the HTTPRoute's own namespace.

This flaw allows an HTTPRoute created in a namespace that is not allow-listed to reference internal Traefik services (such as api@internal, dashboard@internal, or rest@internal) by pointing backendRef.namespace to an allow-listed namespace covered by a Gateway API ReferenceGrant. As a result, internal Traefik services can be exposed on the data plane.

Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace, but does not require changes to Traefik's static configuration, RBAC, or deployment.

Impact Analysis

This vulnerability can lead to unauthorized exposure of internal Traefik services on the data plane. An attacker who can create HTTPRoute objects in untrusted namespaces and obtain a matching ReferenceGrant from an allow-listed namespace can bypass security controls.

Such exposure could allow attackers to access internal APIs or dashboards that are normally restricted, potentially leading to information disclosure or further exploitation within the system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Traefik to version 3.6.21 or 3.7.5 or later, where the issue has been fixed.

The fix involves rejecting cross-provider references with backendRefs.namespace in the Kubernetes Gateway API, preventing unauthorized exposure of internal Traefik services.

No changes to Traefik static configuration, RBAC, or deployment are required to address this vulnerability.

Compliance Impact

This vulnerability allows unauthorized exposure of internal Traefik services by bypassing security controls intended to restrict access to certain namespaces. Such unauthorized access could lead to potential data exposure or unauthorized data flow within a Kubernetes environment.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of internal services and potential unauthorized access could negatively impact compliance with these regulations, which require strict controls over data access and protection.

Organizations relying on Traefik in Kubernetes environments should consider this vulnerability as a risk to their security posture and compliance efforts, especially where sensitive or regulated data is involved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart