Traefik v3.7.5 Patches High-Severity CVEs and Fixes Kubernetes Provider Bugs

Traefik · 19 Jun 2026 · 2 min read

#traefik

Traefik v3.7.5 is now available, addressing two high-severity CVEs and multiple bugs across Kubernetes and TLS routing. This patch release fixes security vulnerabilities and improves stability in ingress handling.

Concrete changes:

  • Security: Fixes CVE-2026-54761 (GHSA-3g6v-2r68-prfc) and CVE-2026-54762 (GHSA-4mr2-fg2p-w63c). Both are remote code execution (RCE) vulnerabilities; upgrade immediately.
  • Bug fixes for Kubernetes ingress providers:
    • [k8s/ingress-nginx] Skip ingress when auth-secret resolution fails (PR #13323 by @gndz07). Prevents crash when auth secret is missing.
    • [k8s/ingress-nginx] Pass endpointslice fencing on ingress-nginx provider (PR #13290 by @Learloj). Ensures correct endpoint selection.
    • [k8s/gatewayapi] Reject cross-provider references with backendRefs.namespace (PR #13322 by @youkoulayley). Enforces namespace boundaries.
  • Server: Bump to github.com/pires/go-proxyproto v0.12.0 (PR #13313 by @timschumi). Updates PROXY protocol library.
  • TLS fixes:
    • Fix routers with same host, different TLS options on different entry points (PR #13329 by @juliens). Resolves conflicting TLS config.
    • Fix SNI check for routers with no hosts (PR #13333 by @rtribotte). Prevents incorrect TLS handshake failures.

This release is critical for anyone using Traefik with Kubernetes or custom TLS configuration. The CVE fixes require urgent updating, while the provider bug fixes improve reliability in ingress and gateway API setups. Upgrade via helm upgrade or binary download.

Source: https://github.com/traefik/traefik/releases/tag/v3.7.5

Related

auto-curated · source linked above ← all news