CVE-2026-54762

Source
https://cve.org/CVERecord?id=CVE-2026-54762
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54762.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54762
Aliases
Downstream
Related
Published
2026-06-23T19:17:07.491Z
Modified
2026-07-11T09:29:31.027154542Z
Severity
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
Details

Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54762.json",
    "cwe_ids": [
        "CWE-636",
        "CWE-693"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/traefik/traefik

Affected ranges

Type
GIT
Repo
https://github.com/traefik/traefik
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.7.0-ea.1"
        },
        {
            "fixed": "3.7.5"
        },
        {
            "introduced": "3.7.0"
        }
    ]
}

Affected versions

v3.*
v3.7.0
v3.7.0-ea.1
v3.7.0-ea.2
v3.7.0-ea.3
v3.7.0-rc.1
v3.7.0-rc.2
v3.7.0-rc.3
v3.7.1
v3.7.2
v3.7.3
v3.7.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54762.json"