Traefik v3.6.21 is now available, addressing a critical security vulnerability and several important bugs. This release patches CVE-2026-54761 (advisory GHSA-3g6v-2r68-prfc), which could allow remote code execution in specific configurations. All users running v3.6.x are strongly advised to upgrade immediately.
Key changes in this release:
- CVE fix: Patches CVE-2026-54761 (GHSA-3g6v-2r68-prfc), a high-severity vulnerability. Details are restricted to protect users who have not yet upgraded.
- [k8s/gatewayapi]: Reject cross-provider references with
backendRefs.namespace(PR #13322). This ensures that Kubernetes Gateway API resources cannot reference backends from other providers, preventing misconfiguration and potential security issues. - [server]: Bump to github.com/pires/go-proxyproto v0.12.0 (PR #13313). This update improves compatibility with modern proxy protocols and fixes potential connection handling issues.
- [tls]: Fix routers with same host but different
TLSoptions on different entry points (PR #13329). Previously, Traefik could incorrectly apply TLS settings, causing routing failures. Now, each entry point respects its own TLS configuration. - [tls]: Fix SNI check for routers with no hosts (PR #13333). Routers without explicit host rules now correctly handle TLS handshakes, preventing connection errors in edge cases.
For developers, this release is crucial for maintaining security and reliability in production environments. The CVE fix should be treated as a priority upgrade. Additionally, the Gateway API fix enforces stricter cross-provider isolation, which is essential for multi-provider setups. The TLS fixes resolve subtle issues that could cause intermittent connectivity problems, especially in complex routing scenarios.
Source: https://github.com/traefik/traefik/releases/tag/v3.6.21