Detections
Analytics
Traefik < 2.11.38 / 3.x < 3.6.9 Multiple Vulnerabilities
high Nessus Plugin ID 318671
Synopsis
The remote macOS host is affected by multiple vulnerabilities.Description
The version of Traefik installed on the remote macOS host is prior to 2.11.38 or 3.x prior to 3.6.9. It is, therefore, affected by multiple vulnerabilities:- A flaw exists in the ForwardAuth middleware due to the response body from the authentication server being read entirely into memory without any size limit. An authenticated, remote attacker can exploit this to cause a denial of service via an out-of-memory condition. (CVE-2026-26998)
- A flaw exists in TLS handshake handling on TCP routers due to the read deadline being cleared before the TLS handshake is completed. An unauthenticated, remote attacker can exploit this, via incomplete TLS records, to cause a denial of service by exhausting file descriptors and goroutines. (CVE-2026-26999)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Traefik version 2.11.38, 3.6.9, or later.See Also
https://github.com/traefik/traefik/releases/tag/v2.11.38
https://github.com/traefik/traefik/releases/tag/v3.6.9
Plugin Details
Severity: High
ID: 318671
File Name: macos_traefik_3_6_9.nasl
Version: 1.1
Type: Local
Agent: macosx
Family: MacOS X Local Security Checks
Published: 6/4/2026
Updated: 6/4/2026
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS Score Source: CVE-2026-26999
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Information
CPE: cpe:/a:traefik:traefik
Required KB Items: Host/local_checks_enabled, installed_sw/traefik
Patch Publication Date: 3/5/2026
Vulnerability Publication Date: 3/5/2026
Reference Information
CVE: CVE-2026-26998, CVE-2026-26999
IAVB: 2026-B-0059