Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48020

CVE-2026-48020: Traefik Auth Bypass Vulnerability

CVE-2026-48020 is an authentication bypass vulnerability in Traefik's StripPrefix middleware that allows unauthenticated attackers to access protected backend paths. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-48020 Overview

CVE-2026-48020 is an authentication bypass vulnerability in Traefik, an HTTP reverse proxy and load balancer. The flaw exists in the StripPrefix middleware and affects versions prior to 2.11.48, 3.6.19, and 3.7.3. An unauthenticated attacker can send a request path containing .. or its percent-encoded form %2e%2e to match a public router using a PathPrefix rule. After Traefik strips the prefix and normalizes the path, the request resolves to a route served by a separate authenticated router. This allows attackers to reach protected backend endpoints, including admin and internal configuration interfaces, without satisfying the authentication middleware [CWE-288].

Critical Impact

Unauthenticated remote attackers can bypass route-level authentication and access protected admin or internal configuration endpoints behind Traefik.

Affected Products

  • Traefik versions prior to 2.11.48
  • Traefik 3.x versions prior to 3.6.19
  • Traefik 3.7.x versions prior to 3.7.3

Discovery Timeline

  • 2026-06-23 - CVE-2026-48020 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-48020

Vulnerability Analysis

The vulnerability resides in how Traefik evaluates routing rules against the StripPrefix middleware. Traefik matches the incoming request path against a public router's PathPrefix rule before path normalization. The StripPrefix middleware then removes the matched prefix and the path is normalized. During normalization, .. segments traverse up the path hierarchy, causing the final request to map to a different router and backend service. The post-normalization route may belong to an authenticated router protected by middleware such as BasicAuth, ForwardAuth, or OAuth, but the request never passes through that middleware chain. This breaks the security boundary between public and protected routes sharing the same Traefik instance.

Root Cause

The root cause is improper ordering of path normalization relative to route matching and middleware evaluation. Traefik selects the router and applies middlewares based on the raw request path, then strips and normalizes, producing a final path that no longer corresponds to the originally matched router. The authentication middleware bound to the actual destination router is never invoked. The advisory tracks this under CWE-288: Authentication Bypass Using an Alternate Path or Channel.

Attack Vector

The attack is fully remote, requires no authentication, and no user interaction. An attacker crafts an HTTP request to a public route configured with StripPrefix, embedding .. or %2e%2e segments. For example, a request to a public path under a /public prefix can be crafted to traverse upward after stripping and reach an /admin route handled by a different router. The attacker reaches protected backends served by the same Traefik instance without presenting credentials. Refer to GitHub Security Advisory GHSA-xf64-8mw2-4gr2 for the full technical description.

Detection Methods for CVE-2026-48020

Indicators of Compromise

  • HTTP request logs containing .. sequences or %2e%2e encodings in the path component of requests to Traefik-fronted services.
  • Access log entries showing requests matching a public router prefix but resolving to backends mapped to authenticated routers.
  • Successful HTTP responses (2xx) from admin or internal endpoints without corresponding authentication events in the auth provider logs.

Detection Strategies

  • Inspect Traefik access logs for path components containing .., %2e%2e, %2E%2E, or mixed-case encodings followed by paths matching protected routes.
  • Correlate Traefik routing decisions with backend authentication logs to identify protected endpoint hits that lack a preceding successful authentication event.
  • Run a controlled probe against staging instances by issuing requests to public PathPrefix routes with .. traversal payloads and verify whether protected routes respond.

Monitoring Recommendations

  • Enable Traefik access logging with full request URI capture and forward logs to a centralized SIEM for correlation.
  • Alert on any access to administrative paths such as /admin, /api/internal, or /dashboard that originates from a public router context.
  • Monitor request rates and source IPs issuing path-traversal-style payloads against Traefik front ends.

How to Mitigate CVE-2026-48020

Immediate Actions Required

  • Upgrade Traefik to a fixed release: 2.11.48, 3.6.19, or 3.7.3 depending on the deployed major version.
  • Audit all router configurations using StripPrefix middleware and identify any routers sharing backend domains with authenticated routes.
  • Review recent access logs for traversal patterns and validate that no unauthorized access to protected endpoints occurred.

Patch Information

The maintainers fixed CVE-2026-48020 in Traefik v2.11.48, Traefik v3.6.19, and Traefik v3.7.3. Upgrade the Traefik binary or container image and restart the proxy to apply the fix. The patched releases normalize paths before route matching and middleware evaluation, ensuring the authentication middleware bound to the resolved destination router is applied.

Workarounds

  • If immediate upgrade is not possible, deploy a Web Application Firewall (WAF) or upstream proxy rule that rejects requests containing .., %2e%2e, or other encoded traversal sequences in the path.
  • Restructure router configurations so that public and authenticated routes do not share a common ancestor reachable through StripPrefix normalization.
  • Place authentication middleware on the entry point or as global middleware rather than only on individual protected routers, where feasible.
bash
# Example: upgrade Traefik container image to a patched version
docker pull traefik:v3.7.3
docker stop traefik && docker rm traefik
docker run -d --name traefik \
  -p 80:80 -p 443:443 -p 8080:8080 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v $(pwd)/traefik.yml:/etc/traefik/traefik.yml \
  traefik:v3.7.3

# Verify the running version
docker exec traefik traefik version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.