FIND-20260406-004 · 2026-04-06 · Innovation Veille

Traefik v3.6.12 Released — Patches CVE-2026-33433 and CVE-2026-33186

release HIGH
Traefik 3.6.12 patches two CVEs: CVE-2026-33433 (BasicAuth/DigestAuth identity spoofing via non-canonical header field, MEDIUM CVSS 5.1) and CVE-2026-33186 (gRPC authorization bypass, CRITICAL CVSS 9.3). This is the version already tracked in last-versions.json. If ODS infrastructure is confirmed on 3.6.12, both CVEs are resolved. This release closes the previously tracked 'Traefik CRITICAL' open CVE.

Source

https://community.traefik.io/t/new-security-update-for-traefik-2-11-2-11-42-3-6-3-6-12-and-3-7-3-7-0-ea-3/29785

ODS Impact

API Gateway (Traefik) on both srv-staging and srv-agents must be confirmed at 3.6.12. This is the patched version. DevOps agent should verify running container image tags via Coolify dashboard or docker inspect. The previously flagged open Traefik CRITICAL CVE from prior watches is resolved by this version.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

traefik release security-patch api-gateway cve-fix 3.6.12
Generated by ODS Innovation Veille · 2026-04-06T03:20:46+00:00