SCA: security update for github.com/traefik/traefik/v3 (GHSA-3g6v-2r68-prfc)

medium Tenable Self-Hosted Container Security Plugin ID 443379

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity
vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist.
For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the
target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a
namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal,
dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered
by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation
requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed
namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself.
This vulnerability is fixed in 3.6.21 and 3.7.5. (CVE-2026-54761)

Solution

Update the github.com/traefik/traefik/v3 library and its related packages to version 3.6.21 or later.

See Also

https://github.com/advisories/GHSA-3g6v-2r68-prfc

Plugin Details

Severity: Medium

ID: 443379

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 6/18/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

Percentile: 96.41

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N

CVSS Score Source: CVE-2026-54761

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6

Threat Score: 5.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/17/2026

Vulnerability Publication Date: 6/17/2026

Reference Information

CVE: CVE-2026-54761