Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.
Published: 2026-06-23
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik is an HTTP reverse proxy and load balancer. In versions prior to 2.11.48, 3.6.19, and 3.7.3, the StripPrefix middleware allows an unauthenticated attacker to bypass route‑level authentication and authorization. By sending a request path containing .. or the percent‑encoded %2e%2e, the request matches a public router with a PathPrefix rule during routing. After the prefix is stripped and the path is normalized, it resolves to a path served by a different authenticated router, enabling the attacker to reach protected backend paths such as admin or internal configuration endpoints without satisfying any attached authentication middleware. This flaw is classified as a CWE‑288 privilege management error and a CWE‑22 path traversal vulnerability.

Affected Systems

Traefik versions earlier than 2.11.48, 3.6.19, and 3.7.3 are affected. Any deployment using a public router with a PathPrefix rule combined with the StripPrefix middleware in those versions is vulnerable. Upgrading to the specified releases or later resolves the issue.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating high severity. The EPSS score is less than 1%, indicating a low but nonzero likelihood of exploitation. The flaw permits an unauthenticated attacker to bypass route‑level authentication and authorization by manipulating request paths containing .. or %2e%2e, a path traversal technique (CWE‑22) and a privilege management error (CWE‑288). It is not listed in the CISA KEV catalog, but can be exploited by sending crafted HTTP requests to a Traefik instance because no local privilege escalation or user authentication is required.

Generated by OpenCVE AI on June 26, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Traefik 2.11.48, 3.6.19, or 3.7.3 or a newer release.
  • If an upgrade cannot be performed immediately, remove or disable the StripPrefix middleware on any public routers that use PathPrefix rules.
  • Verify router configurations to ensure no public route forwards requests to authenticated backends after path normalization.

Generated by OpenCVE AI on June 26, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xf64-8mw2-4gr2 Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.
Title Traefik StripPrefix Route-Level Auth Bypass via Path Normalization
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:09:59.927Z

Reserved: 2026-05-20T17:44:09.587Z

Link: CVE-2026-48020

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:49.489Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T19:10:31Z

Links: CVE-2026-48020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:30:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel