Security Flaw in Traefik Load Balancer Affects HTTPRoute Configurations
CVE-2026-54765

6.3MEDIUM

Key Information:

Vendor

Traefik

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-54765?

Traefik, the open-source HTTP reverse proxy and load balancer, has a vulnerability that allows the misconfiguration of accepted HTTPRoutes targeting the same backend. This issue emerges when different backendRef filters are configured for routes that share the same backend Service:port. As a result, the filter context from one route can incorrectly affect requests from another route, especially in environments where security-sensitive headers are utilized. This flaw potentially allows an attacker to manipulate headers and access unauthorized resources, especially when ReferenceGrants for cross-namespace targeting are enabled. The vulnerability is addressed in Traefik version v3.7.6.

Affected Version(s)

traefik >= 3.7.0, < 3.7.6

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.