Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-48020

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.

View on NVD

Analysis

Traefik presenta una vulnerabilidad crítica en su middleware StripPrefix que permite a atacantes no autenticados saltar la seguridad de rutas protegidas mediante el uso de secuencias como .. o %2e%2e. Este fallo permite acceder a endpoints internos, consolas de administración o APIs privadas que deberían estar restringidas por middleware de autenticación. Es imperativo actualizar a las versiones 2.11.48, 3.6.19 o 3.7.3 para asegurar la integridad de la infraestructura.

Relevant roles

BackendCloudKubernetesDockerCyberSecurityGo

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: NONE
Weakness (CWE): CWE-288

EPSS

Probability of exploitation (next 30 days): 0.0053 (0.5%)
Percentile: 40.5%
EPSS: 2026-06-26

Affects

traefik:traefik

Technical description

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.

Published: 6/23/2026, 8:16:47 PM
Last modified: 6/26/2026, 5:04:46 PM

References

HomeEventsBlogResourcesTeam