Detections
Analytics

Traefik < 2.11.43 / 3.x < 3.6.14 Multiple Vulnerabilities

high Nessus Plugin ID 311474

Synopsis

The remote macOS host is affected by multiple vulnerabilities.

Description

The version of Traefik installed on the remote macOS host is prior to 2.11.43 or 3.x prior to 3.6.14. It is, therefore, affected by multiple vulnerabilities:

 - An authentication bypass via StripPrefixRegex and ForwardAuth dot-segment normalization. When StripPrefixRegex processes URLs with percent-encoded characters, it miscalculates byte offsets, producing a dot-segment path that authentication middleware fails to match against protection rules. (CVE-2026-40912)

 - An authentication bypass via unsanitized underscore-variant forwarded headers. Traefik's forwarded-header sanitization logic targets only canonical header names and does not strip alias variants that use underscores instead of dashes, allowing attackers to inject forged trust context to bypass ForwardAuth. (CVE-2026-39858)

 - An authentication bypass in ForwardAuth when trustForwardHeader is set to false behind a trusted proxy. The X-Forwarded-Prefix header remains unstripped in authentication subrequests, allowing external attackers to spoof the header and bypass access controls on protected routes. (CVE-2026-35051)

 - A timing side-channel in BasicAuth that allows username enumeration via bcrypt short-circuit. Due to a map key/value confusion bug, a fallback security mechanism fails to function properly, enabling attackers to enumerate valid usernames by analyzing response-time differences. (CVE-2026-41263)

 - A Kubernetes CRD cross-namespace isolation bypass via Chain middleware references. When allowCrossNamespace is set to false, Traefik fails to apply the same restriction to middleware references nested inside a Chain middleware, allowing actors to access middleware from other namespaces. (CVE-2026-41174)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Traefik version 2.11.43, 3.6.14, or later.

See Also

http://www.nessus.org/u?c93041df

http://www.nessus.org/u?674b2fba

http://www.nessus.org/u?c953a351

http://www.nessus.org/u?6c7edefd

http://www.nessus.org/u?b02f9e16

Plugin Details

Severity: High

ID: 311474

File Name: macos_traefik_2_11_43.nasl

Version: 1.1

Type: Local

Agent: macosx

Published: 5/2/2026

Updated: 5/2/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-40912

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.8

Threat Score: 4.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Vulnerability Information

CPE: cpe:/a:traefik:traefik

Required KB Items: Host/local_checks_enabled, installed_sw/traefik

Exploit Ease: No known exploits are available

Patch Publication Date: 4/22/2026

Vulnerability Publication Date: 4/22/2026

Reference Information

CVE: CVE-2026-35051, CVE-2026-39858, CVE-2026-40912, CVE-2026-41174, CVE-2026-41263

IAVB: 2026-B-0111