Kubernetes Gateway Provider Vulnerability in Traefik by Traefik Labs
CVE-2026-54761

6MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54761?

A vulnerability exists in Traefik's Kubernetes Gateway provider that affects the handling of the crossProviderNamespaces allowlist. Specifically, for HTTPRoute rules that declare multiple backendRefs, Traefik incorrectly checks the allowlist against the target backendRef.namespace rather than the namespace of the HTTPRoute itself. This oversight allows an HTTPRoute located in a non-allow-listed namespace to reference a cross-provider TraefikService—including services like api@internal, dashboard@internal, or rest@internal—through a backendRef pointing to an allow-listed namespace covered by a Gateway API ReferenceGrant. Exploiting this flaw necessitates the ability to create an acceptable HTTPRoute and a corresponding ReferenceGrant from an allow-listed namespace, with no requirement for alterations to the Traefik static configuration or deployment setup. This issue has been resolved in Traefik versions 3.6.21 and 3.7.5.

Affected Version(s)

traefik < 3.6.21 < 3.6.21

traefik >= 3.7.0-ea.1, < 3.7.5 < 3.7.0-ea.1, 3.7.5

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v3.6.21
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.7.5
x_refsource_MISC

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.