Traefik v3.6.14 released on 22-04-2026
Traefik v3.6.14 is out now. It delivers several middleware and authentication fixes, clarifies Kubernetes CRD and sticky-session behaviour, and includes dependency and security updates for ACME and the Web UI.
See the GitHub release notes and the migration guide for full details and upgrade instructions: https://doc.traefik.io/traefik/v3.6/migrate/v3/#v3614
What’s in this release
- Middleware and authentication fixes: removal of untrusted X-headers with underscores, sanitisation of request URLs after prefix stripping, fixes and consistent logging for ForwardAuth (including trustForwardHeader behaviour and deprecation of ForwardAuth.TrustForwardHeader), and a fix preventing a basic-auth map lookup from leaving notFoundSecret empty.
- Kubernetes CRD and sticky-session fixes: the chain middleware CRD now honours allowCrossNamespace, SameSite cookie values for sticky sessions are treated case-insensitively, k8s docs and YAML indentation were updated, and watchNamespace is clarified to watch a single namespace.
- ACME and Web UI dependency/security updates: github.com/go-acme/lego/v4 bumped to v4.34.0 for ACME improvements and the Web UI form-data dependency upgraded (2.5.4, 3.0.4, 4.0.4) to address vulnerabilities.
Upgrade notes
- ForwardAuth.TrustForwardHeader is deprecated — review and update any configurations that rely on it and follow the migration guide: https://doc.traefik.io/traefik/v3.6/migrate/v3/#v3614
- If you need to roll back, revert to the previous v3.6.x release and report issues on the Traefik GitHub repository so maintainers can follow up.
Share your experience after upgrading — report bugs or feedback on the project’s GitHub tracker or the Traefik community channels.
