pkg:Go/github.com/traefik/traefik/v2

61 total CVEsCRITICAL2HIGH19MEDIUM15LOW3

✅ Check your installed version

All known vulnerabilities

CRITICAL10.0CVE-2026-39858Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
from 0, < 2.11.43
CRITICAL10.0CVE-2026-35051Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
from 0, < 2.11.43
HIGH8.2CVE-2026-40912Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
from 0, < 2.11.43
HIGH7.5CVE-2026-29054traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik
>= 2.11.9, < 2.11.38
HIGH7.5CVE-2026-29054traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik
>= 2.11.9, < 2.11.38
HIGH7.5CVE-2026-26999Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)
from 0, < 2.11.38
HIGH7.5CVE-2026-26999Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)
from 0, < 2.11.38
HIGH7.5CVE-2026-25949Traefik: TCP readTimeout bypass via STARTTLS on Postgres in github.com/traefik/traefik
from 0
HIGH7.5CVE-2024-45410HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik
from 0, < 2.11.9
HIGH7.5CVE-2024-45410HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik
from 0, < 2.11.9
HIGH7.5CVE-2024-39321Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik
from 0, < 2.11.6
HIGH7.5CVE-2024-39321Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik
from 0, < 2.11.6
HIGH7.5CVE-2024-28869Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik
from 0, < 2.11.2
HIGH7.5CVE-2024-28869Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik
from 0, < 2.11.2
HIGH7.5CVE-2023-47633Traefik docker container using 100% CPU in github.com/traefik/traefik
from 0, < 2.10.6
HIGH7.5CVE-2023-47633Traefik docker container using 100% CPU in github.com/traefik/traefik
from 0, < 2.10.6
HIGH7.5CVE-2023-29013Traefik HTTP header parsing could cause a denial of service
from 0, < 2.9.10
HIGH7.5CVE-2022-39271Traefik HTTP/2 connections management could cause a denial of service
from 0, < 2.8.8
HIGH7.5CVE-2019-20894Improper Authentication in github.com/containous/traefik
from 0, < 2.2.2
HIGH7.4CVE-2022-23632Skip the router TLS configuration when the host header is an FQDN in github.com/traefik/traefik
from 0, < 2.6.1
HIGH7.4CVE-2022-23632Skip the router TLS configuration when the host header is an FQDN in github.com/traefik/traefik
from 0, < 2.6.1
MEDIUM6.5CVE-2023-47106Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass
from 0, < 2.10.6
MEDIUM6.5CVE-2023-47106Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass
from 0, < 2.10.6
MEDIUM6.5CVE-2022-46153Traefik routes exposed with an empty TLSOption in github.com/traefik/traefik
from 0, < 2.9.6
MEDIUM6.5CVE-2022-46153Traefik routes exposed with an empty TLSOption in github.com/traefik/traefik
from 0, < 2.9.6
MEDIUM6.4CVE-2026-41174Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
from 0, < 2.11.43
MEDIUM6.1CVE-2020-15129Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header
from 0, < 2.3.0-rc6
MEDIUM5.9CVE-2026-22045Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
from 0, < 2.11.35
MEDIUM5.9CVE-2026-22045Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
from 0, < 2.11.35
MEDIUM5.9CVE-2025-66491Traefik Inverted TLS Verification Logic in ingress-nginx Provider
from 0
MEDIUM5.9CVE-2023-47124Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik
from 0, < 2.10.6
MEDIUM5.9CVE-2023-47124Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik
from 0, < 2.10.6
MEDIUM4.8CVE-2021-32813Header dropping in traefik
from 0, < 2.4.13
MEDIUM4.8CVE-2021-32813Header dropping in traefik
from 0, < 2.4.13
MEDIUM4.4CVE-2026-26998Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS in github.com/traefik/traefik
from 0, < 2.11.38
MEDIUM4.4CVE-2026-26998Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS in github.com/traefik/traefik
from 0, < 2.11.38
LOW3.7CVE-2026-41263Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
from 0, < 2.11.43
LOW3.5CVE-2022-23469Traefik may display authorization header in the debug logs
from 0, < 2.9.6
LOW3.5CVE-2022-23469Traefik may display authorization header in the debug logs
from 0, < 2.9.6
—CVE-2026-44774Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
from 0, < 2.11.46
—CVE-2026-41181Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service
from 0, < 2.11.44
—CVE-2026-33433Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
from 0, < 2.11.42
—CVE-2026-33433Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
from 0, < 2.11.42
—CVE-2026-32695Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
from 0, <= 2.11.42
—CVE-2026-32695Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
from 0
—CVE-2026-32595Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration
from 0, < 2.11.41
—CVE-2026-32595Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration
from 0, < 2.11.41
—CVE-2026-32305Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik
from 0, < 2.11.41
—CVE-2026-32305Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik
from 0, < 2.11.41
—CVE-2026-29777Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
from 0
—CVE-2026-29777Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
from 0, <= 2.11.40
—CVE-2025-66490Path Normalization Bypass in Traefik Router + Middleware Rules
from 0, < 2.11.32
—CVE-2025-66490Path Normalization Bypass in Traefik Router + Middleware Rules
from 0, < 2.11.32
—CVE-2025-54386Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution in github.com/traefik/traefik
from 0, < 2.11.28
—CVE-2025-54386Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution in github.com/traefik/traefik
from 0, < 2.11.28
—CVE-2025-47952Traefik allows path traversal using url encoding in github.com/traefik/traefik
from 0, < 2.11.25
—CVE-2025-47952Traefik allows path traversal using url encoding in github.com/traefik/traefik
from 0, < 2.11.25
—CVE-2025-32431Traefik has a possible vulnerability with the path matchers in github.com/traefik/traefik
from 0, < 2.11.23
—CVE-2025-32431Traefik has a possible vulnerability with the path matchers in github.com/traefik/traefik
from 0, < 2.11.23
—CVE-2024-52003Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik
from 0, < 2.11.14
—CVE-2024-52003Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik
from 0, < 2.11.14