EXECUTIVE SUMMARY:
CVE-2026-48020 with a CVSS score of 7.5 is a route‑level authentication bypass in Traefik’s StripPrefix middleware that allows an unauthenticated attacker to reach protected backend endpoints by abusing path‑normalisation. The flaw affects Traefik v2 packages prior to 2.11.48, v3 packages prior to 3.6.19, and early‑access v3.7 builds before 3.7.3. When a public router uses a PathPrefix rule together with a StripPrefix middleware, a request containing “..” or its percent‑encoded form “%2e%2e” can match the public rule, have the prefix stripped, and then be normalised to a path that falls under a separate router protected by authentication middleware. An attacker can exploit this by sending a crafted URL such as /api../admin or /api%2e%2e/internal/config to the exposed Traefik entry point; no prior authentication or special privileges are required, only knowledge of the public prefix. Successful exploitation grants the attacker direct access to admin panels, internal configuration APIs, or other sensitive services, potentially leading to data leakage, unauthorized configuration changes, or further compromise of downstream applications. Exploitation requires a vulnerable Traefik deployment that uses the described public‑strip‑prefix pattern and is reachable from the network.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48020 with a CVSS score of 7.5 is a route‑level authentication bypass in Traefik’s StripPrefix middleware that allows an unauthenticated attacker to reach protected backend endpoints by abusing path‑normalisation. The flaw affects Traefik v2 packages prior to 2.11.48, v3 packages prior to 3.6.19, and early‑access v3.7 builds before 3.7.3. When a public router uses a PathPrefix rule together with a StripPrefix middleware, a request containing “..” or its percent‑encoded form “%2e%2e” can match the public rule, have the prefix stripped, and then be normalised to a path that falls under a separate router protected by authentication middleware. An attacker can exploit this by sending a crafted URL such as /api../admin or /api%2e%2e/internal/config to the exposed Traefik entry point; no prior authentication or special privileges are required, only knowledge of the public prefix. Successful exploitation grants the attacker direct access to admin panels, internal configuration APIs, or other sensitive services, potentially leading to data leakage, unauthorized configuration changes, or further compromise of downstream applications. Exploitation requires a vulnerable Traefik deployment that uses the described public‑strip‑prefix pattern and is reachable from the network.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xf64-8mw2-4gr2