CVE•Published 2026-05-15•Modified 2026-05-19•1 article on news•6 live references•NVD data

CVE-2026-44774Traefik · Traefik

Vulnerability data via NVD (ingested)

CVSS v3.1

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-284Improper Access Control

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.

Timeline

Published 2026-05-15

Modified 2026-05-19

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-44774

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Traefik Traefik"

All exposed Traefik Traefik instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Traefik"

HTTP body or banner mentions "Traefik" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-44774