Traefik 3.6.14 released April 2026: five CVEs and a percent-encoded auth bypass
Traefik 3.6.14 shipped 21 April 2026 with patches for five CVEs. One of them, CVE-2026-40912, lets unauthenticated requests bypass ForwardAuth, BasicAuth, and DigestAuth via percent-encoded prefix tricks.