CVE-2026-41174: Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
(updated )
There is a vulnerability in Traefik’s Kubernetes CRD provider cross-namespace isolation enforcement.
When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware’s spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary.
When providers.kubernetesCRD.allowCrossNamespace=false, Traefik still allows a namespace-local Middleware of type Chain to reference middleware objects from another namespace via spec.chain.middlewares[].namespace.
This bypasses the documented cross-namespace restriction and allows an actor with permission to create or update Traefik CRDs in namespace A to bind middleware defined in namespace B to routes in namespace A.
References
- github.com/advisories/GHSA-xhjw-95fp-8vgq
- github.com/traefik/traefik/commit/df00d82fc7f12e07199551832b54de6d0e55414d
- github.com/traefik/traefik/releases/tag/v2.11.43
- github.com/traefik/traefik/releases/tag/v3.6.14
- github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
- github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq
- nvd.nist.gov/vuln/detail/CVE-2026-41174
Code Behaviors & Features
Detect and mitigate CVE-2026-41174 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →