This release fixes issues for SREs watching stability and regressions.
✓ No known CVEs patched in this version
Topics
+7 more
Affected surfaces
Summary
AI summaryUpdates https://github.com/traefik/traefik/pull/13195, https://github.com/traefik/traefik/pull/13227, and https://github.com/traefik/traefik/pull/13214 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Dependency | Low |
Bumps golang.org/x/net dependency to v0.55.0. Bumps golang.org/x/net dependency to v0.55.0. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Dependency | Low |
Bumps golang.org/x/crypto dependency to v0.52.0. Bumps golang.org/x/crypto dependency to v0.52.0. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Adds error on basic auth build if users list is empty. Adds error on basic auth build if users list is empty. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Avoids ingress path matcher injection in k8s Ingress handling. Avoids ingress path matcher injection in k8s Ingress handling. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Moves snicheck to request context instead of simulated routing. Moves snicheck to request context instead of simulated routing. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Rejects requests with mismatched paths after StripPrefix normalisation. Rejects requests with mismatched paths after StripPrefix normalisation. Source: llm_adapter@2026-06-03 Confidence: high |
— |
Full changelog
Bug fixes:
- [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
- [k8s/ingress] Avoid ingress path matcher injection and backport 11d251415 (#13227 @rtribotte)
- [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
- [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
- [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
- [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Beta — feedback welcome: [email protected]