Traefik v3.7.3 is now available, addressing three CVEs: CVE-2026-48020, CVE-2026-48491, and CVE-2026-53622. These security vulnerabilities have been fixed via advisory GHSA-xf64-8mw2-4gr2, GHSA-5r4w-85f3-pw66, and GHSA-9cr8-q42q-g8m7 respectively. Users are strongly encouraged to update and review the migration guide before upgrading.
This release also resolves several bugs affecting core features. TLS options computation now properly applies models after loading, fixing #13291. The WebUI dashboard flow diagram now correctly resolves TCP router services (#13155). For Kubernetes ingress-nginx users, quotes are trimmed from proxy_set_header header names (#13203) and Ssl-Client-* headers are cleared when no client certificate is present (#13260). Access log improvements include escaping double quotes in quoted fields (#13180) and allowing query parameters to be dropped from RequestPath (#13091). Additional fixes include trimming exact gRPC method matches for Gateway API (#13201), better handling of dangling symlinks in the file provider (#12449), and an error added when basic auth users list is empty (#13195).
Developers should update to v3.7.3 to mitigate security risks and improve reliability in Kubernetes and TCP routing scenarios. Pay special attention to TLS configuration and access log formatting if customized.
Source: https://github.com/traefik/traefik/releases/tag/v3.7.3