Impact
Traefik’s Kubernetes Ingress NGINX provider can cause a fail‑open condition when authentication secrets cannot be resolved or parsed. When an Ingress explicitly enables BasicAuth or DigestAuth via the nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. As a result, a route that operators intended to protect is published to the data plane without authentication, allowing unauthenticated access to the backend. The issue arises from premature route publication (CWE‑636), missing credential validation (CWE‑693), and an auth resolution failure (CWE‑166), and is rated medium severity; it is fixed in Traefik 3.7.5.
Affected Systems
Traefik versions 3.7.0‑ea.1 through 3.7.4 are affected. Operators running any of these releases within a Kubernetes cluster should verify that Ingress resources using nginx.ingress.kubernetes.io/auth-type and auth-secret annotations reference a valid Secret that exists and is readable. The fix is included in release 3.7.5 and later.
Risk and Exploitability
With a CVSS score of 5.9, the vulnerability is classified as medium severity and the EPSS score is not available. The flaw is triggered by a missing, malformed, unreadable, or policy‑denied Secret. Based on the description, it is inferred that attackers would need the ability to create or modify Ingress resources that use the auth-type and auth-secret annotations in order to trigger the fail‑open behavior. If such permissions are granted, the attacker could provoke the failure and obtain unauthenticated access to the protected backend service. Although it is not listed in CISA’s KEV catalog, the potential loss of authentication warrants prompt remediation.
OpenCVE Enrichment
Github GHSA