CVE-2026-54762: Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails

There is a medium severity vulnerability in Traefik’s Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route.

Traefik’s Kubernetes Ingress NGINX provider can fail open for routes that explicitly configure BasicAuth or DigestAuth through supported ingress-nginx annotations.

When an Ingress contains nginx.ingress.kubernetes.io/auth-type: basic or digest, but the referenced nginx.ingress.kubernetes.io/auth-secret cannot be resolved or parsed, Traefik logs the auth resolution error, skips installing the BasicAuth/DigestAuth middleware, and still emits a router to the backend service.

This can expose a route that operators intended to protect. The issue is not that an invalid Secret exists; the issue is that an explicitly auth-protected Ingress location is translated into a live backend route where the authentication control is removed from the generated data-plane configuration, with only a controller log entry, instead of failing closed.

Tested affected versions:

• Current master: 29406d42898547f1ffabd904f66af06c212740cf
• Latest tag tested by me: v3.7.1 / fa49e2bcad7ffd8a80accdf1fae1ae480913d93d

The KubernetesIngressNGINX provider is documented as no longer experimental as of v3.6.2, and the auth-type, auth-secret, auth-secret-type, and auth-realm annotations are documented supported annotations.