# Traefik v3.7.0-rc.2 Vulnerability Remediation Summary ## Vulnerability Overview This version fixes multiple security vulnerabilities (CVEs), primarily affecting various components and middleware of Traefik. ## Scope of Impact - **Traefik Overall**: Multiple CVEs affect core Traefik functionalities. - **Ingress-Nginx Integration**: Affects Kubernetes Ingress-Nginx related functionalities. - **Middleware**: Affects middleware functionalities such as authentication, redirection, and session management. - **WebUI**: Affects the WebUI component. ## Remediation Measures ### CVE Fix List - **CVE-2026-40912** (Advisory GHSA-6jwx-7vpd-9847) - **CVE-2026-39858** (Advisory GHSA-5m6w-vwh7-57m) - **CVE-2026-35051** (Advisory GHSA-6384-m2mw-rf54) - **CVE-2026-41263** (Advisory GHSA-6x2q-h3cr-8j2h) - **CVE-2026-41174** (Advisory GHSA-xhjw-95fp-8vqg) ### Related Bug Fixes - **Ingress-Nginx Related**: - Fixed 302 redirection issue (when `rewrite-target` value is not an absolute URL). - Fixed issues with custom header annotations and 503 Service Unavailable. - Fixed unavailable services on ingress-nginx. - Handled duplicate `server-alias` on the ingress-nginx provider. - Used `QuoteMeta` for cookie names when building canary rules. - Fixed rewrite targets with full URLs and without regular expressions. - Fixed request queries on absolute URL redirections. - Parsed NGINX variables in Ingress-Nginx upstream host annotations. - Deprecated the `ForwardAuth.TrustForwardHeader` option. - Removed untrusted X headers containing underscores. - Cleaned request URLs and removed prefixes. - **Middleware Related**: - Cleaned up and fixed ForwardAuth log consistency. - Fixed forward authentication middleware on `TrustForwardHeader`. - Removed map lookups that caused basic authentication `NotFoundSecret` to be empty. - Fixed `app-root` redirection with query parameters. - **Other Fixes**: - Fixed case-insensitivity for SameSite cookie values. - Restored default cipher suites when `Transport` does not have explicitly defined `cipherSuites`. - Upgraded `go-acme/lego/v4` to v34.4.0. - Downgraded log level for missing containers in inspect. - Allowed CrossNamespace chain middleware CRDs. - Updated `ingressroute.md`. - Documented the behavior of the `rd` parameter in `auth-signin` annotations. - Updated reverse version order in the migration guide. - Updated the vulnerability submission guide. ### Documentation Updates - Fixed YAML indentation. - Clarified that installing `config watchNamespace` only monitors a single namespace. - Updated `ingressroute.md`. - Documented the behavior of the `rd` parameter in `auth-signin` annotations. - Updated reverse version order in the migration guide. - Updated the vulnerability submission guide. **Note**: Specific POC code or exploit code is not included in this page. It is recommended to refer to the official migration guide for more detailed remediation instructions.