# Traefik Kubernetes CRD Allows Unauthorized Cross-Namespace Middleware Binding ## Vulnerability Overview The Kubernetes CRD provider in Traefik has a potential vulnerability in the enforcement of cross-namespace isolation. When `providers.kubernetesCRD.allowCrossNamespace=True`, Traefik correctly rejects direct cross-namespace middleware references from `IngressRoute` objects but fails to apply the same restrictions to middleware references nested within `spec:chain.middlewares[]` of a `ChainMiddleware`. An attacker with permissions to create or update Traefik CRDs in their own namespace can exploit this vulnerability, causing Traefik to resolve and apply middleware objects from another namespace, thereby bypassing documented isolation boundaries. ## Affected Versions - **Affected Versions**: `<= v2.11.42`, `<= v3.6.13`, `<= v3.7.0-rc.2` - **Fixed Versions**: `v2.11.43`, `v3.6.14`, `v3.7.0-rc.2` - **Severity**: Moderate (4.8 / 10) - **CVSS v4 Base Metrics**: - Attack Vector: Local - Attack Complexity: Low - Attack Requirements: None - Privileges Required: Low - User Interaction: None - Confidentiality: None - Integrity: None - Availability: None ## Remediation Please upgrade to the following versions: - https://github.com/traefik/traefik/releases/tag/v2.11.43 - https://github.com/traefik/traefik/releases/tag/v3.6.14 - https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 ## Additional Information - CVE ID: CVE-2025-41174 - Original Description: [Original Description](#) - For questions or comments, please open an issue: [open an issue](#)