CVE-2026-48020
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk44th percentile — higher than 44% of all known CVEs
Summary
In Traefik prior to versions 2.11.48, 3.6.19, and 3.7.3, a high severity vulnerability exists in the StripPrefix middleware. An unauthenticated attacker can bypass route-level authentication and authorization by using a request path containing '..' or its percent-encoded form '%2e%2e'.
Risk Assessment
An attacker can reach protected backend paths, such as admin panels or internal configuration endpoints, without satisfying the authentication middleware. This could lead to unauthorized access to sensitive resources and potential compromise of the application.
Recommendation
Immediately update Traefik to version 2.11.48, 3.6.19, or 3.7.3, depending on your branch. After updating, review your PathPrefix and StripPrefix middleware configurations to ensure no route security gaps remain.
Original NVD description (English source)
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.

