Traefik StripPrefix
route-level auth bypass.
Path normalization issue in Traefik where StripPrefix middleware could affect route-level authorization boundaries. This note summarizes public advisory information without duplicating exploit payloads.
Summary
I identified a route-level authorization bypass in Traefik involving path normalization behavior when StripPrefix middleware is used. Under affected configurations, request paths could be interpreted differently across routing and authorization boundaries, potentially weakening expected route-level access-control behavior.
Affected product
- Vendor
- Traefik Labs / Traefik
- Product
- Traefik Proxy
- Vulnerability class
- Broken Access Control / path normalization
- Fixed versions
- v2.11.48, v3.6.19, v3.7.3
Impact
A mismatch between path normalization and route-level authorization handling could weaken intended access-control boundaries in affected Traefik configurations. Upgrade guidance and technical details are available in the official advisory.
Identifiers
- CVE
- CVE-2026-48020
- GHSA
- GHSA-xf64-8mw2-4gr2
- Credit
- H4ck2
- Disclosure status
- Patched / Public
Official references
Mitigation
- Upgrade Traefik to a fixed version: v2.11.48, v3.6.19, or v3.7.3.
- Review route-level authorization assumptions where path rewriting middleware is used.
- Refer to the official advisory for vendor-published technical details and affected-version guidance.