CVE-2026-54762
Received Received - Intake
Authentication Bypass in Traefik Kubernetes Ingress

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency β€” a missing, malformed, unreadable, or policy-denied Secret β€” rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54762
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
traefik traefik From 3.7.0-ea.1 (inc) to 3.7.5 (exc)
traefik traefik From 3.7.0 (inc) to 3.7.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Traefik to version 3.7.5 or later where the issue is fixed.

In the meantime, ensure that all Kubernetes Ingress resources that enable BasicAuth or DigestAuth have valid, correctly formatted, and accessible authentication Secrets.

Audit and correct any missing, malformed, unreadable, or policy-denied Secrets referenced by the Ingress annotations to prevent routes from failing open.

Monitor Traefik logs for authentication middleware installation errors and address any issues promptly.

Executive Summary

CVE-2026-54762 is a medium-severity vulnerability in Traefik's Kubernetes Ingress NGINX provider affecting versions from 3.7.0-ea.1 to 3.7.4. When an Ingress resource explicitly enables BasicAuth or DigestAuth using annotations but the referenced authentication Secret is missing, malformed, unreadable, or inaccessible, Traefik logs the error but skips installing the authentication middleware. Despite the authentication failure, Traefik still routes traffic to the backend service, effectively bypassing the intended authentication control.

This means that routes operators intended to protect with authentication are exposed to unauthenticated access due to unresolved or invalid auth dependencies, rather than an intentionally unprotected route.

Impact Analysis

This vulnerability can lead to unauthorized access to backend services that were intended to be protected by BasicAuth or DigestAuth. Because the authentication middleware is skipped when the referenced Secret cannot be resolved, attackers or unauthorized users can access sensitive routes without authentication.

The impact includes potential exposure of confidential data or services, as the authentication boundary is inadvertently removed due to misconfiguration or missing Secrets. This can compromise the confidentiality of systems relying on Traefik for access control.

Detection Guidance

This vulnerability can be detected by checking Traefik logs for errors related to unresolved or unparseable authentication Secrets referenced by Kubernetes Ingress annotations such as `nginx.ingress.kubernetes.io/auth-type` and `auth-secret`.

Specifically, look for log entries indicating that Traefik failed to resolve or parse the authentication Secret, which causes it to skip installing the authentication middleware but still route traffic to the backend.

You can also audit your Kubernetes Ingress resources to identify any Ingresses that enable BasicAuth or DigestAuth but reference missing, malformed, or inaccessible Secrets.

  • Use `kubectl get ingress -o yaml` to review Ingress annotations for `nginx.ingress.kubernetes.io/auth-type` and `auth-secret`.
  • Use `kubectl get secret <auth-secret-name>` to verify the existence and accessibility of the referenced Secret.
  • Check Traefik logs for error messages related to authentication Secret resolution failures.
Compliance Impact

This vulnerability causes routes that are intended to be protected by BasicAuth or DigestAuth to fail open if the referenced authentication Secret cannot be resolved or parsed. As a result, protected backend services may be exposed to unauthenticated access.

Such unauthorized access to protected resources can lead to potential breaches of confidentiality and unauthorized data exposure, which may impact compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.

The vulnerability arises from missing, malformed, unreadable, or policy-denied Secrets in Kubernetes, which bypass the intended authentication controls, increasing the risk of non-compliance with security and privacy requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart