CVE-2026-44774 Overview
CVE-2026-44774 is an access control vulnerability [CWE-284] in Traefik, an HTTP reverse proxy and load balancer. The flaw exists in Traefik's Kubernetes Gateway API provider prior to versions 2.11.46, 3.6.17, and 3.7.1. A tenant with HTTPRoute creation permissions can expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, allowing traffic to be routed to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, a low-privileged actor can gain live dynamic configuration write access to Traefik.
Critical Impact
A low-privileged Kubernetes tenant can reconfigure Traefik routers and services at runtime, redirecting traffic or hijacking tenant workloads.
Affected Products
- Traefik versions prior to 2.11.46
- Traefik 3.x versions prior to 3.6.17
- Traefik 3.7.x versions prior to 3.7.1
Discovery Timeline
- 2026-05-15 - CVE-2026-44774 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44774
Vulnerability Analysis
The vulnerability stems from how Traefik's Kubernetes Gateway API provider validates TraefikService backend references. The provider uses a suffix-match check that accepts any service name ending with @internal. This pattern matches both the intended api@internal handler and the unintended rest@internal handler. When the REST provider is enabled, rest@internal exposes a dynamic configuration write endpoint that Traefik internally uses to ingest configuration over HTTP.
The providers.rest.insecure=false setting is designed to prevent external exposure of this handler. However, the Gateway API code path does not consult this setting before binding rest@internal to a tenant-created HTTPRoute. A tenant authorized to create HTTPRoute objects can therefore route external HTTP traffic directly to the REST configuration interface.
Root Cause
The root cause is improper access control [CWE-284] in the Gateway provider's backend reference resolution logic. The check is permissive on the @internal suffix rather than allow-listing specific internal handlers. This trust boundary failure crosses from the Kubernetes tenant scope into the Traefik control plane.
Attack Vector
An attacker requires HTTPRoute creation permissions in a Kubernetes namespace managed by a shared Traefik Gateway. The attacker creates an HTTPRoute whose backend reference points to a TraefikService named with the rest@internal suffix. Once the Gateway provider reconciles the route, the REST handler becomes reachable over the shared Gateway listener. The attacker then submits dynamic configuration via the REST endpoint, defining new routers, middlewares, or services. This allows hijacking of routes belonging to other tenants, traffic interception, or redirection to attacker-controlled backends.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-96qj-4jj5-wcjc for technical details.
Detection Methods for CVE-2026-44774
Indicators of Compromise
- HTTPRoute resources referencing a TraefikService backend whose name ends in rest@internal or any non-api@internal value with the @internal suffix.
- Unexpected dynamic configuration changes appearing in Traefik's runtime routers, middlewares, or services without a corresponding CRD or static configuration update.
- HTTP requests with methods PUT or POST reaching Gateway listeners and resolving to the REST provider handler.
Detection Strategies
- Audit Kubernetes HTTPRoute and TraefikService objects across all namespaces for backend references targeting @internal services other than api@internal.
- Compare Traefik's live dynamic configuration against the declared static and CRD-based configuration to identify unauthorized routers or services.
- Enable verbose access logging on Traefik and alert on requests routed to the REST provider from external sources.
Monitoring Recommendations
- Forward Kubernetes audit logs and Traefik access logs to a centralized analytics platform and alert on HTTPRoute creations referencing internal services.
- Track Traefik version inventory across clusters to confirm patched releases are deployed.
- Monitor for configuration drift events emitted by Traefik's dynamic configuration watcher.
How to Mitigate CVE-2026-44774
Immediate Actions Required
- Upgrade Traefik to version 2.11.46, 3.6.17, or 3.7.1 depending on your release branch.
- Disable the REST provider on shared Gateway deployments until upgrade is complete by removing providers.rest from static configuration.
- Review all existing HTTPRoute resources for backend references ending in @internal and remove any that do not target api@internal.
- Restrict HTTPRoute creation permissions through Kubernetes RBAC to trusted tenants only.
Patch Information
Traefik released fixed versions on the following GitHub release pages: Traefik v2.11.46, Traefik v3.6.17, and Traefik v3.7.1. Full technical context is documented in the GitHub Security Advisory GHSA-96qj-4jj5-wcjc.
Workarounds
- Disable the REST provider entirely in shared multi-tenant Gateway deployments.
- Isolate the Traefik Gateway listener from untrusted networks using network policies or external firewalls.
- Use separate Traefik instances per tenant rather than a shared Gateway when the REST provider must remain enabled.
- Apply admission control policies (for example, OPA Gatekeeper or Kyverno) that reject HTTPRoute objects referencing @internal backends.
# Example Kyverno policy to block HTTPRoute backends referencing @internal services
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-traefik-internal-backends
spec:
validationFailureAction: Enforce
rules:
- name: deny-internal-suffix
match:
any:
- resources:
kinds:
- HTTPRoute
validate:
message: "HTTPRoute backend references ending in @internal are not permitted."
pattern:
spec:
rules:
- backendRefs:
- name: "!*@internal"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
