2464226 – (CVE-2026-41174) CVE-2026-41174 Traefik: github.com/traefik/traefik: Traefik: Cross-namespace isolation bypass via nested middleware references

Bug 2464226 (CVE-2026-41174) - CVE-2026-41174 Traefik: github.com/traefik/traefik: Traefik: Cross-namespace isolation bypass via nested middleware references

Summary: CVE-2026-41174 Traefik: github.com/traefik/traefik: Traefik: Cross-namespace ...

Keywords:
Status:	NEW
Alias:	CVE-2026-41174
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-30 21:01 UTC by OSIDB Bzimport
Modified:	2026-05-04 10:09 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-30 21:01:18 UTC

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware's spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Note You need to log in before you can comment on or make changes to this bug.