Traefik Release Notes

Important: Please read the migration guide.

CVE fixed

• CVE-2026-48020 (Advisory GHSA-xf64-8mw2-4gr2)
• CVE-2026-48491 (Advisory GHSA-5r4w-85f3-pw66)
• Advisory GHSA-9cr8-q42q-g8m7 (CVE pending)

Bug fixes

• [tls] Compute resolved tlsOptions after applying models (#13291 @rtribotte)
• [webui, tcp] Fix TCP router service resolution in dashboard flow diagram (#13155 @aliamerj)
• [k8s/ingress-nginx] Trim quotes from proxy_set_header header name (#13203 @crisbal)
• [accesslogs] Escape double quotes in quoted log fields (#13180 @KaanSimsek)
• [k8s/gatewayapi] Escape exact gRPC method matches (#13201 @nickmnt)
• [logs, middleware] Allow query parameters to be dropped from RequestPath in access log (#13091 @calinelson)
• [k8s/ingress-nginx] Clear Ssl-Client-* headers when no client certificate is present (#13260 @gndz07)
• [k8s/gatewayapi] Bump github.com/moby/spdystream to v0.5.1 (#13252 @kevinpollet)
• [file] Improve file provider behavior regarding dangling symlinks (#12449 @fh-yuxiao-zeng)
• [server] Bump github.com/bytedance/sonic to v1.15.1 (#13254 @kevinpollet)
• [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
• [k8s/ingress] Avoid ingress path matcher injection and backport 11d2514 (#13227 @rtribotte)
• [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
• [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
• [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
• [k8s/gatewayapi] Change default values and expose configuration for Kubernetes client QPS and Burst (#13277 @kevinpollet)
• [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)

Documentation

• [k8s] Document new chart behavior on Gateway API (#13167 @mloiseleur)
• [file] Replace generated File routing reference page (#13170 @sheddy-traefik)
• [k8s/crd] Fix typo in accesslogs field name (#13177 @PlayMTL)
• [k8s/ingress-nginx] Surface the Ingress status race condition during NGINX coexistence (#13205 @emilevauge)
• Polish grammar in migration guides (#13174 @quyentonndbs)
• [middleware] Remove whitespace in HTML tag (#13160 @marbon87)
• Add @LBF38 as a current maintainer (#13225 @emilevauge)
• Add ingressClassName to Kubernetes CRD provider migration guide (#13248 @kevinpollet)
• [k8s/ingress-nginx] Add nginx.ingress.kubernetes.io/enable-global-auth to the list of supported annotations (#13219 @filip2mac)
• [k8s/ingress-nginx] Capitalize NGINX in kubernetesIngressNGINX (#13236 @smellems)

Important

Please read the migration guide.

CVE fixed

CVE-2026-48020 (Advisory GHSA-xf64-8mw2-4gr2)

Bug fixes

• [tls] Compute resolved tlsOptions after applying models (#13291 @rtribotte)
• [accesslogs] Escape double quotes in quoted log fields (#13180 @KaanSimsek)
• [k8s/gatewayapi] Escape exact gRPC method matches (#13201 @nickmnt)
• [logs, middleware] Allow query parameters to be dropped from RequestPath in access log (#13091 @calinelson)
• [k8s/gatewayapi] Bump github.com/moby/spdystream to v0.5.1 (#13252 @kevinpollet)
• [file] Improve file provider behavior regarding dangling symlinks (#12449 @fh-yuxiao-zeng)
• [server] Bump github.com/bytedance/sonic to v1.15.1 (#13254 @kevinpollet)
• [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
• [k8s/ingress] Avoid ingress path matcher injection and backport 11d2514 (#13227 @rtribotte)
• [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
• [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
• [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
• [k8s/gatewayapi] Change default values and expose configuration for Kubernetes client QPS and Burst (#13277 @kevinpollet)
• [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)

Documentation

• [file] Replace generated File routing reference page (#13170 @sheddy-traefik)
• [k8s/crd] Fix typo in accesslogs field name (#13177 @PlayMTL)
• [k8s/ingress-nginx] Surface the Ingress status race condition during NGINX coexistence (#13205 @emilevauge)
• Polish grammar in migration guides (#13174 @quyentonndbs)
• [middleware] Remove whitespace in HTML tag (#13160 @marbon87)
• Add @LBF38 as a current maintainer (#13225 @emilevauge)
• [k8s/ingress-nginx] Capitalize NGINX in kubernetesIngressNGINX (#13236 @smellems)

Important: Please read the migration guide.

CVE fixed:

CVE-2026-48020 (Advisory GHSA-xf64-8mw2-4gr2)

Bug fixes:

• [tls] Compute resolved tlsOptions after applying models (#13291 @rtribotte)
• [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
• [k8s/ingress] Avoid ingress path matcher injection and backport 11d2514 (#13227 @rtribotte)
• [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
• [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
• [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
• [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)

Important

Please read the migration guide.

Enhancements

• [k8s/ingress-nginx] Use a metamodel to generate dynamic configuration in ingress-nginx (#13062 @juliens)
• [k8s/ingress-nginx] Add limit-connections support (#13030 @amazon7737)
• [webui] Display server weight in service detail view (#12325 @murataslan1)
• [webui, tls] Add certificates menu and overview (#12628 @holomekc)
• [provider] Add providers routing precedence configuration (#12895 @juliens)
• [k8s/ingress-nginx] Support NGINX global auth annotation (#12893 @foxcool)
• [k8s/ingress-nginx] Add limit-burst-multiplier annotation support (#12899 @amazon7737)
• [k8s/ingress-nginx, k8s/ingress, rules] Add wildcard host in Host and HostSNI matchers (#12884 @juliens)
• [k8s/gatewayapi] Support multiple certificateRefs on gateway listeners (#12590 @mortennordbye)
• [k8s/gatewayapi] Add secret support for BackendTLSPolicy caCertificateRefs (#12927 @kevinpollet)
• [accesslogs, k8s/ingress-nginx] Support nginx.ingress.kubernetes.io/enable-access-log annotation (#12908 @ris-tlp)
• [accesslogs, k8s/ingress-nginx, k8s/ingress] Add Kubernetes Ingress logs fields (#12913 @rtribotte)
• [k8s/knative] Support knative v1.20.0 (#12441 @idurgakalyan)
• [k8s/gatewayapi] Bump sigs.k8s.io/gateway-api to v1.5.1 (#12768 @mmatur)
• [k8s/ingress-nginx, middleware, authentication] Add support for auth-snippet (#12778 @juliens)
• [accesslogs, otel] Allow Stdio access logs alongsige OTLP logging (#12307 @Mulgish)
• [acme] Add CertificateTimeout ACME configuration option (#12278 @ceko)
• [k8s/ingress-nginx] Support nginx.ingress.kubernetes.io/allowlist-source-range (#12659 @ris-tlp)
• [k8s/crd] Add ingressClassName field to the CRDs spec (#12313 @kkrypt0nn)
• [k8s/crd] Service failover support in TraefikService CRD (#12733 @jspdown)
• [k8s/crd, service] Support cipher suites configuration with ServersTransport (#11965 @NEwa-05)
• [k8s/ingress, middleware, k8s/crd, service, k8s/gatewayapi] Services middleware and Gateway API filters on HTTP backends (#12544 @juliens)
• [k8s/ingress-nginx] Add nginx.ingress.kubernetes.io/proxy-connect-timeout annotation (#12572 @gndz07)
• [k8s/ingress-nginx] Add rewrite-target nginx annotations support (#12534 @LBF38)
• [k8s/ingress-nginx] Add support for app-root nginx annotation (#12576 @LBF38)
• [k8s/ingress-nginx] Add support for auth-signin annotation (#12502 @DesalLama)
• [k8s/ingress-nginx] Add support for from-to-www-redirect NGINX annotation (#12610 @LBF38)
• [k8s/ingress-nginx] Add support for proxy-read-timeout and proxy-send-timeout NGINX annotations (#12630 @LBF38)
• [k8s/ingress-nginx] Add support for session-cookie-expires nginx annotation (#12558 @LBF38)
• [k8s/ingress-nginx] Add support for upstream-hash-by NGINX annotation (#12749 @LBF38)
• [k8s/ingress-nginx] Allow entry points to be specified on Nginx Ingresses (#12727 @ajacques)
• [k8s/ingress-nginx] Implement proxy-http-version annotation (#12743 @KshitijBharde)
• [k8s/ingress-nginx] Nginx x-forwarded-prefix annotation (#12697 @nandorKollar)
• [k8s/ingress-nginx] Support auth-tls-secret and auth-tls-verify-client annotations (#12595 @gndz07)
• [k8s/ingress-nginx] Support limit-rpm annotation for ingress-nginx (#12703 @Ph4rell)
• [k8s/ingress-nginx] Support limit-rps annotation for Ingress NGINX (#12709 @amazon7737)
• [k8s/ingress-nginx] Support NGINX buffering annotations (#12459 @blasko03)
• [k8s/ingress-nginx] Support NGINX canary annotations (#12739 @kevinpollet)
• [k8s/ingress-nginx] Support NGINX custom-headers annotation (#12414 @nandorKollar)
• [k8s/ingress-nginx] Support NGINX upstream-vhost annotation (#12412 @nandorKollar)
• [k8s/ingress-nginx] Support NGINX whitelist-source-range annotation (#12423 @blasko03)
• [k8s/ingress-nginx] Support permanent-redirect and temporal-redirect annotations (#12561 @LBF38)
• [k8s/ingress-nginx] Support proxy-next-upstream* annotations (#12710 @gndz07)
• [k8s/ingress-nginx] Support server-alias annotation for Ingress NGINX (#12707 @amazon7737)
• [k8s/ingress-nginx] Support upstream-keepalive-timeout (#12708 @jcob-sikorski)
• [k8s/ingress-nginx] Add support for variable interpolation in auth-signin NGINX annotation (#12640 @LBF38)
• [k8s/ingress-nginx] Implement server-snippet and configuration-snippet annotations (#12715 @juliens)
• [k8s/ingress-nginx] Add custom-http-errors and default-backend annotations (#12637 @juliens)
• [k8s/ingress-nginx] Support auth-tls-pass-certificate-to-upstream annotation (#12629 @gndz07)
• [metrics] Support file path for metrics.influxdb2.token option (#12458 @barhun)
• [middleware] Add encodedCharacters middleware (#12555 @gndz07)
• [middleware] Enable retries based on HTTP response status codes, timeout, and non-idempotent methods (#12667 @LBF38)
• [middleware, authentication] Add authSignInURL in forward auth middleware (#12293 @kyounghunJang)
• [server] Add global option to disable X-Forwarded-For appending (#12374 @lbenguigui)
• [server] Replace Split in loops with more efficient SplitSeq (#12316 @boqishan)
• [service] Failover according to response status code (#12596 @lbenguigui)
• [tls] Make TLSStore gracefully handle missing secrets (#12522 @david-garcia-garcia)
• [webui] Add dashboard name configuration (#12410 @gndz07)
• [webui] Web UI dashboard improvements (#12236 @gndz07)
• [webui] Details pages UI improvement (#12377 @gndz07)
• Use unicode.MaxASCII for clearer ASCII check (#12741 @1911860538)

Bug fixes

• [k8s/ingress-nginx] Add ipAllowListStrategy option for allowlist/whitelist annotations (#12932 @mathieuherbert)
• [k8s/ingress-nginx] Fix regressions after refacto of the ingress-nginx provider (#13086 @juliens)
• [k8s/ingress-nginx] Fix typo in default CORS allowed headers (#13088 @mliang2)
• [docker, ecs] Migrate to github.com/moby/moby modules (#12672 @thaJeztah)
• [logs, metrics, tracing] Bump go.opentelemetry.io/otel (#13100 @juliens)
• [k8s/crd] Remove cross-provider sanitization for Kubernetes service loading (#13087 @rtribotte)
• [docker, ecs] Migrate to github.com/moby/moby modules (#13053 @mmatur)
• [k8s/ingress-nginx] Fix SSL redirect behavior for ingress-nginx provider (#13028 @gndz07)
• [k8s/ingress-nginx] Do not require a port for ExternalName services (#13033 @kevinpollet)
• [k8s, k8s/ingress-nginx] Add regression test for ingress default backend without rules (#13066 @mmatur)
• [acme] Bump github.com/go-acme/lego/v4 to v4.35.1 (#13027 @ldez)
• [server] Bump github.com/vulcand/oxy to v2.1.0 (#13046 @ldez)
• [acme] Bump github.com/go-acme/lego/v4 to v4.35.2 (#13043 @ldez)
• [middleware] Add errorRequestHeaders option to Errors middleware (#13034 @gndz07)
• [acme] Bump github.com/go-acme/lego/v4 to v4.34.0 (#12993 @ldez)
• [docker] Downgrade log level for missing container on inspect (#12900 @Otoru)
• [k8s/crd, k8s] Honor allowCrossNamespace with chain middleware CRD (#12976 @rtribotte)
• [k8s/ingress-nginx] Avoid 302 redirect when rewrite-target value is not an absolute URL for ingress-nginx provider (#12977 @gndz07)
• [k8s/ingress-nginx] Fix custom headers annotation with 503 Service Unavailable (#12969 @LBF38)
• [k8s/ingress-nginx] Fix service unavailable on ingress-nginx (#12996 @LBF38)
• [k8s/ingress-nginx] Handle duplicate server-alias on ingress-nginx provider (#13019 @gndz07)
• [k8s/ingress-nginx] Use QuoteMeta for cookie name when building canary rules (#12973 @kevinpollet)
• [middleware, authentication] Cleanup and make ForwardAuth logs consistent (#13013 @kevinpollet)
• [middleware, authentication] Fix trustForwardHeader on forward auth middleware (#12994 @juliens)
• [middleware, authentication] Remove map lookup making the basic auth notFoundSecret empty (#12960 @rtribotte)
• [middleware, k8s/ingress-nginx] Fix app-root with query params redirect (#12986 @LBF38)
• [middleware, k8s/ingress-nginx] Fix rewrite target with full URL and no regex in ingress path (#12992 @LBF38)
• [middleware, k8s/ingress-nginx] Preserve request query on absolute-URL redirect (#13020 @SAY-5)
• [middleware, k8s/ingress-nginx] Resolve NGINX variables in ingress-nginx upstream-vhost annotation (#12978 @mmatur)
• [middleware] Deprecate ForwardAuth.TrustForwardHeader option (#13012 @kevinpollet)
• [middleware] Remove untrusted X headers with underscores (#12961 @rtribotte)
• [middleware] Sanitize the request URL after stripping the prefix (#12990 @kevinpollet)
• [sticky-session, k8s/crd] Make SameSite cookie value case-insensitive (#12922 @murataslan1)
• [tls] Restore default cipher suites when serversTransport has no explicit cipherSuites (#12974 @mmatur)
• [webui] Bump lodash version (#12954 @gndz07)
• [webui] Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 (#12958 @orbisai0security)
• [k8s/ingress-nginx] Fix rewrite-target annotation handling with empty path and non-regex path (#12905 @LBF38)
• [middleware] Bump github.com/klauspost/compress v1.18.4 (#12937 @thaJeztah)
• [k8s/crd] Fix panic with Failover services in Kubernetes (#12853 @juliens)
• [k8s/ingress-nginx] Fix rewrite directive in configuration-snippet to trim quotes (#12855 @gndz07)
• [k8s/ingress-nginx] Fix rewrite-target to handle full URL (#12854 @gndz07)
• [k8s/ingress-nginx] Handle empty rewrite-target like unset rewrite-target (#12832 @sathieu)
• [k8s/ingress-nginx] Fix TLS behavior in ingress-nginx provider (#12831 @LBF38)
• [k8s/ingress-nginx] Fix auth-response-headers whitespace trimming in ingress-nginx provider (#12856 @mmatur)
• [acme] Bump github.com/go-acme/lego/v4 to v4.33.0 (#12840 @ldez)
• [server, tcp] Fix postgres STARTTLS with TLS termination (#12847 @mmatur)
• [api] Fix allow colons and tildes in api.basePath validation (#12857 @mmatur)
• [server] Fix comment and unnecessary allocation in withRoutingPath (#12880 @boinger)
• [grpc] Bump google.golang.org/grpc to v1.79.3 (#12845 @mmatur)
• [middleware, authentication] Prevent duplicate user headers in basic and digest auth middleware (#12851 @juliens)
• [middleware] Fix StripPrefix and StripPrefixRegex to slice the prefix using encoded prefix length (#12863 @gndz07)
• [k8s/ingress-nginx] Fix use-regex annotation behavior and add strictValidatePathType config for ingress-nginx provider (#12773 @gndz07)
• [logs, otel] Add OTel-conformant trace context attributes to access logs (#12801 @mmatur)
• [k8s/gatewayapi] Fix incorrect hostname matching between listener and route (#12599 @TheColorman)
• [k8s/ingress] Fix ingress router's rule (#12808 @gndz07)
• [webui] Remove AGPL license in code (#12799 @Desel72)
• [k8s/ingress-nginx] Fix proxy-ssl-verify annotation (#12825 @LBF38)
• [http] Add maxResponseBodySize configuration on HTTP provider (#12788 @gndz07)
• [tls] Support fragmented TLS client hello (#12787 @rtribotte)
• [middleware, authentication] Make basic auth check timing constant (#12803 @rtribotte)
• [acme] Add missing renew options (#12467 @ldez)
• [acme] Add timeout to ACME-TLS/1 challenge handshake (#12516 @LBF38)
• [acme] Alter TLS renewal period (#12479 @LtHummus)
• [acme] Bump github.com/go-acme/lego/v4 to v4.28.0 (#12218 @ldez)
• [acme] Bump github.com/go-acme/lego/v4 to v4.29.0 (#12333 @ldez)
• [acme] Bump github.com/go-acme/lego/v4 to v4.30.1 (#12432 @ldez)
• [acme] Bump github.com/go-acme/lego/v4 to v4.31.0 (#12529 @ldez)
• [acme] Bump github.com/go-acme/lego/v4 to v4.32.0 (#12702 @ldez)
• [acme] Remove invalid private key in log (#12574 @juliens)
• [acme] Replace hardcoded references to LetsEncrypt in log messages (#12464 @schildbach)
• [cli] Fix health check ping (#12512 @olamilekan000)
• [docker] Auto-negotiate Docker API Version (#12256 @felixbuenemann)
• [docker] Bump Docker and OpenTelemetry dependencies (#12761 @mmatur)
• [docker, docker/swarm] Auto-negotiate Docker API version (#12262 @kevinpollet)
• [fastproxy] Bump github.com/valyala/fasthttp to v1.69.0 (#12763 @kevinpollet)
• [healthcheck] Reject absolute URL in healthcheck path configuration (#12653 @rtribotte)
• [healthcheck] Validate healthcheck path configuration (#12642 @rtribotte)
• [healthcheck, grpc] Remove path parsing with grpc healthcheck (#12760 @rtribotte)
• [http3] Bump github.com/quic-go/quic-go to v0.57.0 (#12308 @GreyXor)
• [http3] Bump github.com/quic-go/quic-go to v0.57.1 (#12319 @GreyXor)
• [http3] Bump github.com/quic-go/quic-go to v0.58.0 (#12448 @GreyXor)
• [http3] Bump github.com/quic-go/quic-go to v0.59.0 (#12553 @jnoordsij)
• [k8s] Fix condition used for serving and fenced endpoints (#12521 @LBF38)
• [k8s/gatewayapi] Fix Gateway API router's rules (#12753 @rtribotte)
• [k8s/ingress] Fix panic for empty defaultBackend and defaultBackend without resources (#12509 @gndz07)
• [k8s/ingress-nginx] Add AllowCrossNamespaceResources and GlobalAllowedResponseHeader options to control custom headers annotations (#12680 @rtribotte)
• [k8s/ingress-nginx] Deprecate Kubernetes Ingress NGINX provider experimental flag (#12286 @rtribotte)
• [k8s/ingress-nginx] Fix nginx rewrite target (#12730 @mmatur)
• [k8s/ingress-nginx] Fix NGINX sslredirect annotation support (#12387 @rtribotte)
• [k8s/ingress-nginx] Fix nginx.ingress.kubernetes.io/proxy-ssl-verify annotation support (#12351 @rtribotte)
• [k8s/ingress-nginx] Fix SSL redirect to match NGINX behavior (#12361 @mmatur)
• [k8s/ingress-nginx] Fix the service name for ingress-nginx provider (#12352 @mmatur)
• [k8s/ingress-nginx] Fix use-regex nginx annotation (#12531 @LBF38)
• [k8s/ingress-nginx] Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS (#12528 @rtribotte)
• [metrics, tracing, accesslogs] Fix ObservabilityConfig SetDefaults (#12636 @mmatur)
• [middleware] Fix case sensitivity on x-forwarded headers for Connection (#12690 @LBF38)
• [middleware] Fix HasSecureHeadersDefined returning false when stsSeconds is 0 (#12684 @veeceey)
• [middleware, authentication] Add maxResponseBodySize configuration to forwardAuth middleware (#12694 @gndz07)
• [middleware, authentication] Change ForwardAuth error log level from DEBUG to ERROR (#12324 @murataslan1)
• [middleware, authentication] Handle empty/missing User-Agent header (#12545 @a-stangl)
• [middleware, k8s, k8s/ingress-nginx] Fix from to www nginx annotation (#12736 @mmatur)
• [middleware, k8s/ingress-nginx] Fix custom error pages behavior for ingress-nginx provider (#12738 @mmatur)
• [otel] Bump go.opentelemetry.io/otel dependencies (#12754 @rtribotte)
• [plugins] Validate plugin module name (#12291 @kevinpollet)
• [redis] Fix mutually exclusive verification for Redis (#12442 @juliens)
• [server] Bump golang.org/x/crypto to v0.45.0 (#12296 @kevinpollet)
• [server] Bump golang.org/x/net to v0.51.0 (#12756 @kevinpollet)
• [server] Filter unknown nodes with file and env for the deprecation loader (#12227 @rtribotte)
• [server] Fix deny encoded characters (#12454 @rtribotte)
• [server] Fix deny encoded characters (#12457 @rtribotte)
• [server] Fix multi-layer routing with models (#12258 @juliens)
• [server] Fix TLS handshake error handling (#12692 @juliens)
• [server] Make encoded character options opt-in (#12540 @gndz07)
• [server] Make the aggregator compute provider namespace for router's parentRefs (#12235 @rtribotte)
• [server] Print access logs for rejected requests and warn about new behavior (#12424 @kevinpollet)
• [server] Print access logs for rejected requests and warn about new behavior (#12426 @rtribotte)
• [server] Reject suspicious encoded characters (#12360 @rtribotte)
• [server] Remove conn deadline after STARTTLS negociation (#12639 @rtribotte)
• [service] Avoid recursion with services (#12591 @juliens)
• [tls] Fix verifyServerCertMatchesURI function behavior (#12575 @kevinpollet)
• [tls, server] Cap TLS record length to RFC 8446 limit in ClientHello peeking (#12638 @mmatur)
• [tracing, otel] Use ParentBased sampler to respect parent span sampling decision (#12403 @xe-leon)
• [udp] Revert "Avoid allocations in readLoop by using sync.Pool" (#12267 @kevinpollet)
• [webui] Bump dependencies of documentation and webui (#12581 @gndz07)
• [webui] Fix basePath validation for dashboard template (#12729 @gndz07)
• [webui] Fix blocked navigation on Safari (#12231 @gndz07)
• [webui] Fix missing type definition (#12780 @gndz07)
• [webui] Fix priority display in dashboard and ACME bypass redirect (#12740 @mmatur)
• [webui] Restore remote Upgrade to Hub button web component (#12219 @gndz07)
• [webui] Use url.Parse to validate X-Forwarded-Prefix value (#12643 @kevinpollet)
• [webui] Validate X-Forwarded-Prefix value for dashboard redirect (#12514 @LBF38)

Documentation

• [service] Service-level Middleware Documentation (#13095 @nmengin)
• [k8s/gatewayapi] Update Helm chart values link for Kubernetes Gateway (#13063 @0054)
• [k8s/ingress-nginx] Add ingress-nginx ConfigMap migration step (#12963 @sheddy-traefik)
• [k8s/ingress-nginx] Delete the coming soon section from the ingress-nginx documentation (#13037 @nmengin)
• [k8s] Fix yaml indentation (#12957 @isayme)
• [k8s] Clarify install config watchNamespace watches only one namespace (#12962 @parkerfath)
• [k8s/crd] Update ingressroute.md (#12916 @Rajakavitha1)
• [k8s/ingress-nginx] Document the rd parameter behavior for the auth-signin annotation (#13017 @kevinpollet)
• Reverse versions order in migration guide (#12959 @nmengin)
• Update vulnerability submission guidelines (#12968 @emilevauge)
• [docker] Fix docker-compose.yaml location in Docker setup page (#12860 @ScottA38)
• [docker, consul, ecs, k8s] Fix documentation on how to restrict the scope of service discovery (#12645 @mloiseleur)
• [k8s/gatewayapi] Update gateway-api link in getting-started to v1.5.1 (#12930 @isayme)
• [k8s/ingress-nginx] Add OVHcloud (OpenStack Octavia) to Cloud-Specific IP Management (#12759 @antonin-a)
• [k8s/ingress-nginx] Clarify IngressClass selection logic (#12926 @kevinpollet)
• Add redirects for deleted pages (#12889 @sheddy-traefik)
• Fix default value of http.sanitizePath (#12904 @iTob191)
• [acme] Clarify CNAME explanation in ACME Documentation (#12818 @sheddy-traefik)
• [k8s/ingress-nginx] Add ingress-nginx migration banner on documentation pages (#12872 @gndz07)
• [k8s/ingress] Improve Kubernetes Ingress Routing Documentation (#12876 @sheddy-traefik)
• [k8s/ingress-nginx] Clarify that NGINX Ingress watchNamespace watches only one namespace (#12873 @parkerfath)
• [k8s] Improve the multi tenant security note (#12822 @nmengin)
• Fix unnecessary escaping of pipe in regexp examples (#12784 @diegmonti)
• Add vulnerability submission quality guidelines (#12807 @emilevauge)
• Fix start up message format (#12806 @mloiseleur)
• Remove unsupported servers[n].address from TCP label examples (#12817 @sheddy-traefik)
• Bump mkdocs-traefiklabs to use consent mode (#12804 @darkweaver87)
• [acme] Add missing ACME options and clean up table for more visibility (#12208 @sheddy-traefik)
• [api] Fix typo in API dashboard configuration instructions (#12335 @NAICOLAS)
• [docker] Add documentation for loadbalancer.server.url in Docker and Swarm providers (#12289 @webash)
• [docker] Update docker in-depth setup guide (#12682 @mdevino)
• [docker/swarm] Update swarm.md traefik version (#12508 @DBouraoui)
• [k8s] Fix Gateway API version and the list of features supported (#12254 @nmengin)
• [k8s] Fix Kubernetes reference yml file (#12406 @mmatur)
• [k8s] Fix kubernetes.md with correct http redirections (#12603 @MartenM)
• [k8s] Fix Nginx provider documentation (#12266 @nmengin)
• [k8s] Improve the K8S multi-tenancy security note (#12444 @nmengin)
• [k8s] Make labelSelector option casing more consistent (#12658 @holysoles)
• [k8s, k8s/ingress-nginx] Add configmaps right to Ingress NGINX RBAC (#12557 @kevinpollet)
• [k8s/gatewayapi] Fix links of Helm chart values reference to providers.kubernetesGateway.enabled (#12315 @shouhei)
• [k8s/ingress, k8s] Fix Kubernetes Ingress provider documentation (#12443 @nmengin)
• [k8s/ingress-nginx] Add auth-signin to unsupported nginx annotations list (#12370 @fibsifan)
• [k8s/ingress-nginx] Add RBAC documentation for Ingress NGINX provider (#12445 @nmn3m)
• [k8s/ingress-nginx] Add temporary note to advertise the incoming NGINX annotations (#12699 @nmengin)
• [k8s/ingress-nginx] Fix default value of ingress-nginx provider in documentation (#12328 @mloiseleur)
• [k8s/ingress-nginx] Fix ingress-nginx annotations documentation (#12510 @nmengin)
• [k8s/ingress-nginx] Improve ingress-nginx provider documentation (#12288 @sheddy-traefik)
• [k8s/ingress-nginx] Improve the configuration options display of the Kubernetes ingress-nginx provider (#12297 @mloiseleur)
• [k8s/ingress-nginx] NGINX Ingress Controller to Traefik Migration Guide (#12318 @sheddy-traefik)
• [middleware] Correct documentation for Digest auth (#12651 @Zash)
• [middleware] Fix default encodings in compress middleware (#12216 @Belphemur)
• [middleware, k8s/crd] Fix the errors middleware's document for Kubernetes CRD (#12600 @yuito-it)
• [service] Fix loadbalancer doc for highest random weight (#12283 @ozon2)
• [tls] Clarify SNI selection (#12482 @AnuragEkkati)
• Add @gndz07 as a current maintainer (#12594 @emilevauge)
• Add a Breaking change note to the changelog (#12398 @nmengin)
• Add documentation about checkNewVersion (#12298 @darkweaver87)
• Add missing .http to TOML table names (#12713 @Darsstar)
• Add product comparison matrix and features page (#12037 @sheddy-traefik)
• Bring back security section on API & Dashboard documentation page (#12507 @gndz07)
• Clarify doc about encoded characters rejection (#12391 @rtribotte)
• Clean Up Menu Entries & Update Expose Overview (#12405 @sheddy-traefik)
• Correct encoded characters allowance in entrypoints.md (#12679 @Apflkuacha)
• Correctly Format the HTTP Service Documentation (#12311 @sheddy-traefik)
• Document negative priority support for routers (#12505 @understood-the-assignment)
• Document Path matcher placeholder removal in v3 migration guide (#12570 @sheddy-traefik)
• Fix API basepath option documentation (#12744 @nmengin)
• Fix broken links in TCP Service and HTTP Router documentation (#12215 @sheddy-traefik)
• Fix code copy button positioning (#12520 @AnuragEkkati)
• Fix encoded characters entryPoint option documentation (#12384 @rtribotte)
• Fix encoded characters option documentation (#12373 @kevinpollet)
• Fix encodedCharacters entryPoint option documentation (#12385 @rtribotte)
• Fix incorrect TOML example in entrypoints docs (#12711 @mfmfuyu)
• Fix link description in Traefik Proxy documentation (#12488 @schaerfo)
• Fix Menu Item Naming (#12431 @sheddy-traefik)
• Fix migration guide indentation (#12365 @kevinpollet)
• Fix migration guide URLs in deprecation notice (#12430 @alexmar07)
• Fix typo in kubernetes.md (#12515 @EdwardSalkeld)
• Fix typo in v3.6 migration guide (#12212 @jnoordsij)
• Fix typo on JWT documentation (#12616 @mdevino)
• Improve Service Reference page (#12541 @sheddy-traefik)
• Improve the structure of the routing reference pages (#12429 @sheddy-traefik)
• Increased content width in documentation (#12632 @tobiasge)
• Remove extra dots in migration guide (#12573 @rtribotte)
• Remove extraneous dots in migration guide (#12571 @dathbe)
• Restore documentation on http.maxHeaderBytes (#12440 @mloiseleur)
• Split Expose User Guides & Add Multi-Layer Routing Section (#12238 @sheddy-traefik)
• Update Configuration Overview Page (#12202 @sheddy-traefik)
• Update SECURITY.md (#12304 @cwayne18)
• Update SECURITY.md to streamline information (#12310 @emilevauge)

Misc

• Make FLAGS Make variable usable (#13009 @twz123)