Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false — CVE-2026-44774

GitHub · GitHub · CVE-2026-44774

ID
CVE-2026-44774

Date
2026-05-13

Activity
2026-05-13

Source
GitHub

Vendor
GitHub

Threat
medium

CVSS
6.4

Summary

## Summary There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissions to expose the REST provider handler, bypassing the `providers.rest.insecure=false` setting. The Gateway provider accepts any `TraefikService` backend reference whose name ends with `@internal`, making it possible to route traffic to `rest@internal` in addition…

Product

go: github.com/traefik/traefik/v3 | go: github.com/traefik/traefik/v2 | go: github.com/traefik/traefik

What to do

General, cautious steps (verify details in the official source):

Review exposure and plan remediation based on risk and environment.
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W20

Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false — CVE-2026-44774

Summary

Product

What to do

Official advisory

Related advisories

Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.6.11

Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.11

Authlib: Cross-site request forging when using cache

AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

Important: firefox security update

Important: gimp:2.8 security update