Impact
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity crossProviderNamespaces allowlist flaw that corresponds to a CWE‑284 authorization bypass and a CWE‑863 improper restriction of operations after privilege escalation. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow‑listed can reference a cross‑provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow‑listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow‑listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5.
Affected Systems
This issue affects prior releases of Traefik 3.6 and 3.7 before the protective patches 3.6.21 and 3.7.5, when the Kubernetes Gateway provider is used. Any deployment that leverages crossProviderNamespaces for HTTPRoute objects and maintains a ReferenceGrant to an allow‑listed namespace is potentially vulnerable, regardless of the static Traefik configuration.
Risk and Exploitability
The CVSS score of 6 places the vulnerability in the medium severity band, but it requires no modification to the Traefik deployment and only the ability to create a valid HTTPRoute and an associated ReferenceGrant, permissions that many cluster administrators and privileged workloads already possess. The EPSS score is not available, and the vulnerability is not yet listed in CISA's KEV catalog. The attack would proceed through normal Kubernetes API calls, meaning that internal services could be exposed to any user with the required create‑rights.
OpenCVE Enrichment
Github GHSA