Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
Summary
| CVE | CVE-2026-44774 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-15 17:16:48 UTC |
| Updated | 2026-06-30 03:20:01 UTC |
| Description | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1. |
Risk And Classification
Primary CVSS: v4.0 6.4 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000160000 probability, percentile 0.038660000 (date 2026-05-26)
Problem Types: CWE-284 | CWE-15 | CWE-284 CWE-284: Improper Access Control | CWE-15 External Control of System or Configuration Setting
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.4 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | DECLARED | 6.4 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H |
| 3.1 | [email protected] | Primary | 9.9 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Traefik | Traefik | affected < 2.11.46 | Not specified |
| CNA | Traefik | Traefik | affected >= 3.0.0-beta1, < 3.6.17 | Not specified |
| CNA | Traefik | Traefik | affected >= 3.7.0-rc.0, < 3.7.1 | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift GitOps | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/traefik/traefik/releases/tag/v3.7.1 | [email protected] | github.com | Product, Release Notes |
| github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc | [email protected] | github.com | Exploit, Patch, Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-44774 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/traefik/traefik/releases/tag/v2.11.46 | [email protected] | github.com | Product, Release Notes |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44774.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/traefik/traefik/releases/tag/v3.6.17 | [email protected] | github.com | Product, Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-15T17:01:12.579Z | Reported to Red Hat. |
| ADP | 2026-05-15T16:30:43.265Z | Made public. |
Workarounds
ADP: Upgrade Traefik to version 2.11.46 or later (2.x line), 3.6.17 or later (3.6.x line), or 3.7.1 or later (3.7.x line) by installing updated Red Hat OpenShift Dev Spaces releases that ship a fixed traefik-rhel9 container image. Until updated images are available, limit which principals can create HTTPRoute resources in namespaces where Traefik runs with the Kubernetes Gateway API provider. Disable or tightly restrict the Traefik REST dynamic configuration provider in shared Gateway deployments, and block untrusted use of TraefikService backends that reference @internal handlers.