CVE-2026-41174

Name
CVE-2026-41174
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/traefik/traefik/commit/df00d82fc7f12e07199551832b54de6d0e55414d
security-advisories@github.com https://github.com/traefik/traefik/releases/tag/v2.11.43
security-advisories@github.com https://github.com/traefik/traefik/releases/tag/v3.6.14
security-advisories@github.com https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
security-advisories@github.com https://github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* traefik >= None < 2.11.43
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* traefik >= 3.0.0 < 3.6.14
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:* traefik == None == 3.7.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
traefik edge-community 3.7.0-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.7.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.9-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.9-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.9-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.8-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.7-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.7-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.6-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.6-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.4-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.2-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.2-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.5.0-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.5.0-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.5.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.4.0-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.4.0-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.4.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.3-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.2-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.2-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.1.7-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.1.3-r0 None possibly vulnerable
traefik edge-community 2.9.10-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 2.9.6-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 2.2.8-r0 None possibly vulnerable
traefik 3.23-community 3.6.2-r6 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik 3.23-community 3.6.2-r5 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik 3.23-community 3.6.2-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik 3.23-community 3.6.2-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik 3.23-community 3.6.2-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik 3.23-community 3.6.2-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable