SCA: security update for github.com/traefik/traefik/v2, github.com/traefik/traefik/v3 (GHSA-fw45-f5q2-2p4x)

medium Tenable Self-Hosted Container Security Plugin ID 438304

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a
potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is
configured to use the ForwardAuth middleware, the response body from the authentication server is read
entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the
amount of data read from the authentication server response. If the authentication server returns an
unexpectedly large or unbounded response body, Traefik will allocate unlimited memory, potentially causing
an out-of-memory (OOM) condition that crashes the process. This results in a denial of service for all
routes served by the affected Traefik instance. This issue has been patched in versions 2.11.38 and 3.6.9.
(CVE-2026-26998)

See Also

https://github.com/advisories/GHSA-fw45-f5q2-2p4x

Plugin Details

Severity: Medium

ID: 438304

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 3/4/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:H/Au:M/C:N/I:N/A:C

CVSS Score Source: CVE-2026-26998

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/4/2026

Vulnerability Publication Date: 3/4/2026

Reference Information

CVE: CVE-2026-26998

cwe: CWE-770