Description
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.
Published: 2026-06-23
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik’s Kubernetes Ingress NGINX provider can cause a fail‑open condition when authentication secrets cannot be resolved or parsed. When an Ingress explicitly enables BasicAuth or DigestAuth via the nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. As a result, a route that operators intended to protect is published to the data plane without authentication, allowing unauthenticated access to the backend. The issue arises from premature route publication (CWE‑636), missing credential validation (CWE‑693), and an auth resolution failure (CWE‑166), and is rated medium severity; it is fixed in Traefik 3.7.5.

Affected Systems

Traefik versions 3.7.0‑ea.1 through 3.7.4 are affected. Operators running any of these releases within a Kubernetes cluster should verify that Ingress resources using nginx.ingress.kubernetes.io/auth-type and auth-secret annotations reference a valid Secret that exists and is readable. The fix is included in release 3.7.5 and later.

Risk and Exploitability

With a CVSS score of 5.9, the vulnerability is classified as medium severity and the EPSS score is not available. The flaw is triggered by a missing, malformed, unreadable, or policy‑denied Secret. Based on the description, it is inferred that attackers would need the ability to create or modify Ingress resources that use the auth-type and auth-secret annotations in order to trigger the fail‑open behavior. If such permissions are granted, the attacker could provoke the failure and obtain unauthenticated access to the protected backend service. Although it is not listed in CISA’s KEV catalog, the potential loss of authentication warrants prompt remediation.

Generated by OpenCVE AI on June 24, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 3.7.5 or later to eliminate the fail‑open behavior.
  • Ensure that all Ingress objects using auth-type and auth-secret annotations reference a valid Secret that exists and is readable; validate Secret existence and content during deployment.
  • Restrict RBAC permissions so that only trusted operators can create or modify Ingress resources with authentication annotations, and monitor for any unauthorized Ingress creation or Secret resolution failures.

Generated by OpenCVE AI on June 24, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4mr2-fg2p-w63c Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-166
References
Metrics threat_severity

None

cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Low


Tue, 23 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.
Title Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
Weaknesses CWE-636
CWE-693
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T12:41:44.166Z

Reserved: 2026-06-15T23:12:41.966Z

Link: CVE-2026-54762

cve-icon Vulnrichment

Updated: 2026-06-24T12:40:32.603Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-23T19:17:07Z

Links: CVE-2026-54762 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:45:16Z

Weaknesses
  • CWE-166

    Improper Handling of Missing Special Element

  • CWE-636

    Not Failing Securely ('Failing Open')

  • CWE-693

    Protection Mechanism Failure