{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44774","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-07T19:20:44.688Z","datePublished":"2026-05-15T16:30:43.265Z","dateUpdated":"2026-07-09T12:09:57.053Z"},"containers":{"cna":{"title":"Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false","problemTypes":[{"descriptions":[{"cweId":"CWE-284","lang":"en","description":"CWE-284: Improper Access Control","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","baseScore":6.4,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H","version":"4.0"}}],"references":[{"name":"https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc","tags":["x_refsource_CONFIRM"],"url":"https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc"},{"name":"https://github.com/traefik/traefik/releases/tag/v2.11.46","tags":["x_refsource_MISC"],"url":"https://github.com/traefik/traefik/releases/tag/v2.11.46"},{"name":"https://github.com/traefik/traefik/releases/tag/v3.6.17","tags":["x_refsource_MISC"],"url":"https://github.com/traefik/traefik/releases/tag/v3.6.17"},{"name":"https://github.com/traefik/traefik/releases/tag/v3.7.1","tags":["x_refsource_MISC"],"url":"https://github.com/traefik/traefik/releases/tag/v3.7.1"}],"affected":[{"vendor":"traefik","product":"traefik","versions":[{"version":"< 2.11.46","status":"affected"},{"version":">= 3.0.0-beta1, < 3.6.17","status":"affected"},{"version":">= 3.7.0-rc.0, < 3.7.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-15T16:30:43.265Z"},"descriptions":[{"lang":"en","value":"Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1."}],"source":{"advisory":"GHSA-96qj-4jj5-wcjc","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-16T01:12:38.060089Z","id":"CVE-2026-44774","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-16T01:12:49.947Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_devspaces:3.29::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces 3.29","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"unaffected","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"}],"datePublic":"2026-05-15T16:30:43.265Z","descriptions":[{"lang":"en","value":"A flaw was found in Traefik. A low-privileged tenant with HTTPRoute creation permissions in Traefik's Kubernetes Gateway API provider can bypass security settings. This allows the tenant to expose the REST provider handler and gain live dynamic configuration write access to Traefik. This vulnerability enables unauthorized reconfiguration of routers and services, potentially leading to privilege escalation within the system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-15","description":"External Control of System or Configuration Setting","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-44774"},{"name":"RHBZ#2477937","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477937"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44774.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36820"}],"solutions":[{"lang":"en","value":"RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"}],"timeline":[{"lang":"en","time":"2026-05-15T17:01:12.579Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-15T16:30:43.265Z","value":"Made public."}],"title":"traefik: Traefik: Privilege escalation via Kubernetes Gateway API provider configuration bypass","workarounds":[{"lang":"en","value":"Upgrade Traefik to version 2.11.46 or later (2.x line), 3.6.17 or later (3.6.x line), or 3.7.1 or later (3.7.x line) by installing updated Red Hat OpenShift Dev Spaces releases that ship a fixed traefik-rhel9 container image.\n\nUntil updated images are available, limit which principals can create HTTPRoute resources in namespaces where Traefik runs with the Kubernetes Gateway API provider. Disable or tightly restrict the Traefik REST dynamic configuration provider in shared Gateway deployments, and block untrusted use of TraefikService backends that reference @internal handlers."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:09:57.053Z"}}]}}