Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Published: 2026-04-30
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik's Kubernetes CRD provider enforcement of cross‑namespace isolation fails to protect nested Chain middlewares. When the allowCrossNamespace flag is set to false, the system still resolves middleware objects referenced within a Chain's spec.chain.middlewares[] from any namespace. An attacker with permission to create or update CRDs in their own namespace can thus cause Traefik to apply middleware defined in a different namespace, thereby bypassing the intended isolation boundary. This flaw enables an actor to inject unintended routing behavior, potentially exposing services, rerouting traffic, or executing other malicious middleware logic across namespaces.

Affected Systems

All Traefik releases prior to 2.11.43, 3.6.14, and 3.7.0‑rc.2 are affected. This includes the v2.11.x and v3.6.x series, as well as early v3.7.0‑rc releases. The issue is specific to the Kubernetes CRD provider and impacts any cluster configuration that uses the providers.kubernetesCRD.allowCrossNamespace setting set to false.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity. The EPSS score is < 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have CRD creation or update rights within their own namespace, which is a privileged action within a Kubernetes cluster. Once those rights are present, the attacker can bind chain middlewares to references in other namespaces, bypassing the namespace isolation. This raises concerns for environments that grant broad CRD permissions, especially in multi‑tenant cluster setups.

Generated by OpenCVE AI on May 4, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.43 or later, or 3.6.14 or 3.7.0‑rc.2 or newer.
  • Ensure that the providers.kubernetesCRD.allowCrossNamespace option remains set to false after upgrading.
  • Restrict RBAC permissions so that only trusted users or namespaces can create or modify Traefik CRDs.

Generated by OpenCVE AI on May 4, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xhjw-95fp-8vgq Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
History

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 01 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Title Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
Weaknesses CWE-653
CWE-863
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T13:26:08.289Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41174

cve-icon Vulnrichment

Updated: 2026-05-04T13:25:35.638Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:33.240

Modified: 2026-05-01T17:39:35.703

Link: CVE-2026-41174

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-30T20:20:29Z

Links: CVE-2026-41174 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T14:00:20Z

Weaknesses