On January 14, 2026, we patched the following vulnerability with Traefik Proxy 2.11.35 and 3.6.7:
- CVE-2026-22045 (Advisory GHSA-cwjm-3f7h-9hwqj)
Breaking change
As explained in the comment left on the CVE-2025-66490 fix, this new hotfix version makes the behavior opt-in.
As a result, this release is breaking compared to the previous hotfix versions since v3.6.4 (v2.11.32), but it restores by default the behavior that existed before that hotfix.
Please read the migration guide v3.6 or v2.11 to enable the feature.
If you have any questions or comments about this vulnerability or the behavior change, please add a comment.