### Vulnerability Overview In `traefik` version `v2.11.43`, multiple security vulnerabilities (CVEs) exist, primarily involving authentication and authorization issues within middleware. These vulnerabilities may lead to unauthorized access, information disclosure, or denial of service. ### Affected Scope - **CVE-2026-40912**: Affects middleware using `Basic Auth`. - **CVE-2026-39858**: Affects middleware using `ForwardAuth`. - **CVE-2026-35051**: Affects middleware using `ForwardAuth`. - **CVE-2026-41263**: Affects middleware using `ForwardAuth`. - **CVE-2026-41174**: Affects middleware using `ForwardAuth`. ### Remediation 1. **CVE-2026-40912**: - **Description**: Removing the map lookup causes `NotFoundSecret` for Basic Auth to be empty. - **Fix**: Update middleware configuration to ensure `NotFoundSecret` is not empty. 2. **CVE-2026-39858**: - **Description**: Fixes `trustForwardHeader` on the `ForwardAuth` middleware. - **Fix**: Update middleware configuration to correctly set `trustForwardHeader`. 3. **CVE-2026-35051**: - **Description**: Cleans up and fixes consistency in `ForwardAuth` logging. - **Fix**: Update middleware configuration to ensure consistent logging. 4. **CVE-2026-41263**: - **Description**: Removes untrusted headers containing underscores. - **Fix**: Update middleware configuration to remove untrusted headers. 5. **CVE-2026-41174**: - **Description**: Cleans the request URL after stripping the prefix. - **Fix**: Update middleware configuration to ensure proper cleaning of the request URL. ### Other Fixes - **Bug fixes**: - Resolved multiple middleware-related issues, including authentication, authorization, and logging. ### Contributors - **julien** - **kevinpollet** - **rtribotte** ### Assets - Binaries are provided for multiple platforms, including Linux, Darwin, FreeBSD, and Windows, as well as for different architectures (amd64, arm64, 386, ppc64le, riscv64, s390x). ### Summary `traefik` version `v2.11.43` fixes multiple security vulnerabilities, primarily involving authentication and authorization issues within middleware. Users are advised to upgrade to this version as soon as possible to ensure system security.