HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48020Published Modified CNA GitHub_M

CVE-2026-48020: Traefik StripPrefix Route-Level Auth Bypass via Path Normalization

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in Traefik's StripPrefix middleware, affecting versions prior to 2.11.48, 3.6.19, and 3.7.3. The flaw is reachable over the network without any credentials: an attacker sends a crafted HTTP request whose path contains dot-dot segments (.. or %2e%2e) that match a public route at routing time, then normalize after prefix-stripping to resolve against a separately authenticated route. Successful exploitation grants the attacker full read and write access to protected backend paths such as admin or internal configuration endpoints, without satisfying any authentication middleware. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Traefik. Any image found to carry an affected Traefik version is flagged immediately.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix versions have been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Traefik instance over the network; the service's HTTP listener must be reachable from the attacker's origin.

  • AuthenticationNot required

    No credentials of any kind are required; the vulnerability is exploitable by any unauthenticated HTTP client.

  • Victim interactionNot required

    No victim action is needed; the attacker sends a crafted request directly to the Traefik endpoint without any user involvement.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker only needs to craft a path containing dot-dot segments, with no race conditions or environmental prerequisites.

Blast Radius

  • Reads protected backend resources such as admin dashboards, internal configuration endpoints, and management APIs without credentials.
  • Writes to or modifies protected backend resources, enabling configuration tampering or administrative actions on the backend service.
  • Bypasses any route-level authorization controls (token validation, OAuth middleware, basic-auth) attached to the protected Traefik router.
  • Exposes all backend services routed through the affected Traefik instance that rely on StripPrefix-plus-router separation for access control.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this critical authentication bypass, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version ships from the Traefik project. In the meantime, compensating controls are worth considering: apply a network policy that restricts inbound access to the Traefik HTTP listener to known-trusted source CIDRs only; add an explicit deny rule at the ingress layer for request paths containing raw or percent-encoded dot-dot sequences (.. and %2e%2e); and if possible, gate the public router's PathPrefix rules more narrowly so they cannot be made to match paths intended for authenticated routers. For customers with auto-remediation enabled, once upstream publishes fixes at 2.11.48, 3.6.19, or 3.7.3, HarborGuard will automatically initiate a rebuild, run regression tests, and open a PR against affected workloads. Where compliance policy does not permit auto-remediation, HarborGuard will surface the patched rebuild for manual review and promotion.

See how HarborGuard automates this
Affected packages
  • traefik / traefik
    >= 3.7.0-ea.1, < 3.7.3 · >= 3.0.0-beta1, < 3.6.19 · < 2.11.48
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References