Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5.
Published: 2026-06-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity crossProviderNamespaces allowlist flaw that corresponds to a CWE‑284 authorization bypass and a CWE‑863 improper restriction of operations after privilege escalation. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow‑listed can reference a cross‑provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow‑listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow‑listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5.

Affected Systems

This issue affects prior releases of Traefik 3.6 and 3.7 before the protective patches 3.6.21 and 3.7.5, when the Kubernetes Gateway provider is used. Any deployment that leverages crossProviderNamespaces for HTTPRoute objects and maintains a ReferenceGrant to an allow‑listed namespace is potentially vulnerable, regardless of the static Traefik configuration.

Risk and Exploitability

The CVSS score of 6 places the vulnerability in the medium severity band, but it requires no modification to the Traefik deployment and only the ability to create a valid HTTPRoute and an associated ReferenceGrant, permissions that many cluster administrators and privileged workloads already possess. The EPSS score is not available, and the vulnerability is not yet listed in CISA's KEV catalog. The attack would proceed through normal Kubernetes API calls, meaning that internal services could be exposed to any user with the required create‑rights.

Generated by OpenCVE AI on June 24, 2026 at 10:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Traefik to version 3.6.21 or later, or 3.7.5 or later, to incorporate the fix that correctly validates the HTTPRoute namespace.
  • Restrict or remove crossProviderNamespaces usage if not necessary, ensuring that internal Traefik services are exposed only to explicitly authorized namespaces.
  • Review and tighten RBAC policies so that only trusted users or service accounts can create HTTPRoute and ReferenceGrant objects.

Generated by OpenCVE AI on June 24, 2026 at 10:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g6v-2r68-prfc Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5.
Title Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Weaknesses CWE-284
CWE-863
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T12:45:24.775Z

Reserved: 2026-06-15T23:12:41.966Z

Link: CVE-2026-54761

cve-icon Vulnrichment

Updated: 2026-06-25T12:45:18.912Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses