Traefik v3.7.1 released on 11-05-2026
Traefik v3.7.1 is out now. It includes a security fix for CVE-2026-44774 and changes that affect Kubernetes provider behaviour, so Kubernetes operators and multi-namespace/multi-provider deployments should review the changes.
Read the v3.7→v3.7.1 migration guide at https://doc.traefik.io/traefik/v3.7/migrate/v3/#v371 and the Traefik security advisory (GHSA-96qj-4jj5-wcjc) and NVD entry for the CVE for full details and recommended actions.
What’s in this release
- Security fix: CVE-2026-44774 addressed — see the Traefik advisory (GHSA-96qj-4jj5-wcjc) and the NVD entry for details and recommended actions.
- New CrossProviderNamespaces option for Kubernetes providers (k8s/ingress, k8s/crd, k8s/gatewayapi) (PR #13094) which changes how cross-provider namespace references are handled.
- Bug fix for Kubernetes CRD provider: corrected cross-provider reference checks for CRD-backed resources (PR #13121).
Upgrade notes
- Important migration step: follow the v3.7→v3.7.1 migration guide at https://doc.traefik.io/traefik/v3.7/migrate/v3/#v371 to understand required configuration or behaviour changes before upgrading.
- The release notes do not include explicit rollback instructions; consult the project’s documentation and the GitHub advisory if you need assistance reverting or validating changes after an upgrade.
Share comments on your experience upgrading to v3.7.1 — problems, confirmations that the fix worked, or any unexpected behaviour you observe.
