HTTP Reverse Proxy and Load Balancer Vulnerability in Traefik by Traefik Labs
CVE-2026-48020

7.8HIGH

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
23 June 2026

What is CVE-2026-48020?

Traefik, an HTTP reverse proxy and load balancer, is affected by a vulnerability in its StripPrefix middleware that allows unauthenticated attackers to bypass route-level authentication and access protected backend paths. When a public router matches a PathPrefix rule combined with StripPrefix middleware, the presence of a request path containing '..' or its percent-encoded form '%2e%2e' enables unintended routing to secured areas, such as admin endpoints or internal configuration settings, without proper authentication. Patches have been released in versions 2.11.48, 3.6.19, and 3.7.3 to mitigate this security risk.

Affected Version(s)

traefik >= 3.7.0-ea.1, < 3.7.3 < 3.7.0-ea.1, 3.7.3

traefik >= 3.0.0-beta1, < 3.6.19 < 3.0.0-beta1, 3.6.19

traefik < 2.11.48 < 2.11.48

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.48
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.19
x_refsource_MISC

CVSS V4

Score:
7.8
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.