Kubernetes Gateway API Vulnerability in Traefik by Traefik Labs
CVE-2026-44774

6.4MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
15 May 2026

What is CVE-2026-44774?

A flaw exists in Traefik's Kubernetes Gateway API provider that allows a low-privileged actor to expose the REST provider handler, despite settings designed to prevent this exposure. Specifically, the Gateway provider permits the use of backend references that could unintentionally route traffic to internal services. This vulnerability could lead to unauthorized dynamic configuration write access, enabling attackers to reconfigure routers and services irresponsibly. Users should upgrade to Traefik versions 2.11.46, 3.6.17, or 3.7.1 to mitigate this risk.

Affected Version(s)

traefik < 2.11.46 < 2.11.46

traefik >= 3.0.0-beta1, < 3.6.17 < 3.0.0-beta1, 3.6.17

traefik >= 3.7.0-rc.0, < 3.7.1 < 3.7.0-rc.0, 3.7.1

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.46
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.17
x_refsource_MISC

CVSS V4

Score:
6.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.