In Traefik versions before 2.10.5 and 3.0.0-beta4 a high severity vulnerability CVE-2023-54365 was detected. This vulnerability allows a remote attacker to rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability. To address this issue, users should upgrade Traefik to version 2.10.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-54365.
Read more SecurityIn Traefik versions 3.7.0-ea.1 to before 3.7.5 a medium severity vulnerability CVE-2026-54762 was detected. This vulnerability allows an unauthenticated attacker to access backend services that were intended to be protected, leading to an authentication bypass. This occurs in the Kubernetes Ingress NGINX provider due to a fail-open behavior. When an Ingress explicitly enables BasicAuth or DigestAuth through annotations, but the referenced auth-secret cannot be resolved or parsed (e.g., it is missing, malformed, or policy-denied), Traefik logs the error and skips installing the authentication middleware, while still routing traffic to the backend service. To address this issue, users should upgrade Traefik to version 3.7.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-54762.
In RustDesk Client versions up to, including, 1.4.5 on Windows, MacOS, Linux, iOS, Android, and WebClient a high severity vulnerability CVE-2026-30792 was detected. This vulnerability allows an attacker to bypass local security settings and manipulate Application API messages via a Man-in-the-Middle (MitM) attack. This occurs because the client blindly merges unauthenticated strategy payloads received during synchronization. Specifically, the strategy merge loop (in src/hbbs_http/sync.Rs) and the Config::set_options() engine fail to properly authenticate or validate incoming configuration payloads before applying them. To address this issue, users should upgrade RustDesk Client to a patched version 1.4.6 or newer. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30792.
In RustDesk Client versions up to, including 1.4.5 on Windows, MacOS, Linux, iOS, and Android a high severity vulnerability CVE-2026-30794 was detected. This vulnerability allows an attacker to perform Adversary in the Middle (AiTM) attacks and intercept sensitive communications. This occurs due to improper certificate validation in the HTTP API client; specifically, if an initial TLS handshake fails, the client attempts a retry using the danger_accept_invalid_certs(true) configuration in the TLS transport module, which silently accepts invalid TLS certificates. To address this issue, users should upgrade RustDesk Client to a patched version 1.4.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30794.
In authentik versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 a high severity vulnerability CVE-2026-49443 was detected. This vulnerability allows an attacker to log into any user’s account (Account Takeover). This occurs because an attacker who has the ability to change a source connection and possesses an account in one of the configured sources can exploit improper validation of the source connection to bypass authentication. To address this issue, users should upgrade authentik to versions 2025.12.6, 2026.2.4, or 2026.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4944.
Read more SecurityIn authentik versions prior to 2025.12.5 and 2026.2.3 a medium severity vulnerability CVE-2026-41577 was detected. This vulnerability allows an attacker to replay expired SAML assertions or use assertions intended for other service providers, potentially leading to unauthorized access. This occurs because the SAML source response processor (ResponseProcessor.parse()) fails to validate the Conditions element on assertions, improperly ignoring the NotBefore, NotOnOrAfter, and AudienceRestriction restrictions. To address this issue, users should upgrade authentik to versions 2025.12.5 or 2026.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-41577.
Read more SecurityIn Wazuh authd versions prior to 4.14.4 a low severity vulnerability CVE-2026-32984 was detected. This vulnerability allows an attacker to cause a denial of service (DoS) condition. This occurs due to a heap buffer overflow when the authentication daemon processes specially crafted input, leading to memory corruption and malformed heap data. To address this issue, users should upgrade Wazuh to version 4.14.3 (or later). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32984.
Read more SecurityIn MinIO versions RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z a medium severity vulnerability CVE-2026-42600 was detected. This vulnerability allows an attacker holding the cluster root JWT to read arbitrary files from outside the configured drive roots via a path traversal attack. This occurs because the ReadMultiple internode storage-REST endpoint improperly processes a msgpack-encoded POST request containing “../” sequences in the Bucket field, causing the server to open and return the contents of unintended files (bounded only by the MinIO process UID). To address this issue, users should upgrade MinIO to version RELEASE.2026-04-14T21-32-45Z. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42600.
Read more StorageIn authentik versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2 a high severity vulnerability CVE-2026-40166 was detected. This vulnerability allows authenticated non-admin users to retrieve the confidential OAuth client_secret of providers they have previously authenticated against. This occurs because the GET /api/v3/oauth2/access_tokens/ endpoint improperly includes a nested provider object containing the client_id and client_secret in its response, exposing sensitive information to low-privilege users. To address this issue, users should upgrade authentik to versions 2025.12.5 or 2026.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40166.
Read more Security