CVE-2026-54762

MEDIUM EPSS 27.9%
Published Jun 23, 20261w ago · Modified Jun 24, 20266d ago
5.9 CVSS 4.0
Medium
Find Similar
Published Jun 23, 2026 1w ago
Last Modified Jun 24, 2026 6d ago

Description

Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.

CVSS Details

Base Score
5.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
27.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-636
CWE-693

References 2

  • github.com https://github.com/traefik/traefik/releases/tag/v3.7.5
  • github.com https://github.com/traefik/traefik/security/advisories/GHSA-4mr2-fg2p-w63c

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.