Cross-Namespace Isolation Issue in Traefik HTTP Reverse Proxy and Load Balancer
CVE-2026-41174

4.8MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
30 April 2026

What is CVE-2026-41174?

A cross-namespace isolation vulnerability exists in the Traefik HTTP reverse proxy prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2. This issue arises when the Kubernetes CRD provider allows cross-namespace middleware references to be resolved without proper restrictions. Despite correct rejection of direct cross-namespace references in IngressRoute objects when 'providers.kubernetesCRD.allowCrossNamespace' is false, the same security measure does not apply to middleware references nested within Chain middleware's configuration. This flaw enables malicious actors with permissions to create or update CRDs in their own namespace to exploit the isolation boundary by referencing middleware from another namespace. Traefik has released patches to address this vulnerability in the specified versions.

Affected Version(s)

traefik < 2.11.43 < 2.11.43

traefik >= 3.7.0-ea.1, < 3.7.0-rc.2 < 3.7.0-ea.1, 3.7.0-rc.2

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/commit/df00d82fc7f12e0...
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v2.11.43
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.