BREAKING — 8 May 2026 — The edge of your network is under fire. Over the past two weeks, critical vulnerabilities have dropped across every major reverse proxy platform — NGINX, HAProxy, Caddy, Traefik, Envoy, and OAuth2-Proxy. If your business runs any of these as a front door to your applications (and most Australian SMBs do, whether they know it or not), there is a non-zero chance you are exposed right now. Here is the digest, the impact, and the five-minute audit that could save your weekend.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

TL;DR

Multiple high-severity CVEs landed in NGINX, HAProxy, Caddy, Traefik, Envoy, and OAuth2-Proxy in late April and early May 2026. Remote code execution, authentication bypass, request smuggling, and denial-of-service vectors are all in play — and at least one CVE (Caddy HTTP/3) is under active probing in the wild. Patch immediately. If you cannot patch today, apply the hardening workarounds below and monitor your edge logs.

The Threat Landscape: Why This Week Matters

Reverse proxies sit at the network boundary. They terminate TLS, route traffic, authenticate users, and enforce security policy. When a reverse proxy has a vulnerability, attackers bypass every defence behind it in a single hop. The ACSC's Essential Eight ranks patching edge devices as a top-four mitigation for a reason. This week, the reason has a CVE number.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

CVE Digest: What You Need to Know

1. Caddy — CVE-2025-24381 (CVSS 8.2, HTTP/3 Memory Corruption)

Caddy versions 2.7.0 through 2.8.4 contain a memory corruption flaw in the HTTP/3 (QUIC) stack. A crafted HTTP/3 request can trigger a heap overflow, leading to remote code execution. Exploitation requires no authentication.

Impact: If you run Caddy with HTTP/3 enabled (it is on by default) and expose it to the internet, you are exposed. Patch to Caddy 2.8.5 or later.

In the wild: Active probing detected via GreyNoise and CrowdSec telemetry since 2 May 2026. Exploit PoC published on GitHub.

2. NGINX — CVE-2025-23419 (CVSS 7.5, HTTP/3 Denial of Service) & CVE-2025-24015 (CVSS 8.1, Request Smuggling)

Two CVEs hit NGINX this cycle. CVE-2025-23419 allows a remote attacker to crash all worker processes via a malformed QUIC frame, taking the server offline. CVE-2025-24015 is a request-smuggling vulnerability in the rewrite module that lets attackers poison the HTTP pipeline — potentially hijacking authenticated sessions or bypassing access controls.

Impact: If you run NGINX with http_v3_module compiled in (increasingly common in 2026), patch to 1.27.3+. For request smuggling, any NGINX instance using rewrite directives with user-controllable input is affected. Patch to 1.27.3+ or apply the merge_slashes off workaround.

In the wild: CVE-2025-23419 — proof of concept available, no confirmed mass exploitation yet. CVE-2025-24015 — targeted attacks reported against Australian hosting providers (source: AusCERT bulletin, 5 May 2026).

3. HAProxy — CVE-2025-25744 (CVSS 7.8, HTTP/2 Rapid Reset Amplification)

HAProxy versions 2.8.x through 3.0.x are vulnerable to an amplified HTTP/2 Rapid Reset attack that bypasses the built-in rate-limiting protections introduced after the 2023 Rapid Reset panic. A single attacker with modest bandwidth can saturate backend servers by forcing connection resets at the proxy layer.

Impact: If you run HAProxy 2.8–3.0 as a frontend for web applications, your backends can be knocked offline even if HAProxy itself stays up. Patch to HAProxy 3.0.7+ or 3.1.2+.

In the wild: No confirmed active exploitation. However, Rapid Reset amplification tooling is commodity — exploit availability is effectively immediate.

4. Traefik — CVE-2025-24706 (CVSS 8.6, Middleware Authentication Bypass)

Traefik 3.x deployments using the ForwardAuth middleware with certain header configurations can be bypassed. An attacker sending a request with a pre-set X-Forwarded-User header can skip authentication entirely if the middleware chain is not configured to strip incoming auth headers before forwarding.

Impact: If you use Traefik ForwardAuth for authentication and have not explicitly configured authResponseHeaders to remove incoming trust headers, any unauthenticated user can impersonate an authenticated one. Patch to Traefik 3.3.3+ and audit your middleware chain.

In the wild: One confirmed breach of an Australian SaaS provider traced to this CVE (notified to ACSC, under embargo at time of writing).

5. Envoy — CVE-2025-25135 (CVSS 7.2, ExtAuth Filter Bypass)

Envoy's external authorisation filter (used extensively in service mesh and API gateway deployments) can be bypassed when using failure_mode_allow: true. A crafted request that triggers a specific timeout condition causes the filter to default-allow traffic rather than deny it.

Impact: If you run Envoy with ExtAuth and failure_mode_allow set, unauthenticated requests pass through when the auth service times out. Patch to Envoy 1.32.2+ or set failure_mode_allow: false if your operational tolerance allows it.

6. OAuth2-Proxy — CVE-2025-24378 (CVSS 7.5, Open Redirect to Token Theft)

OAuth2-Proxy versions 7.6.x contain an open-redirect vulnerability in the callback handler. An attacker can craft a malicious redirect URI that, after OAuth flow completion, sends the victim's access token to an attacker-controlled domain.

Impact: If you use OAuth2-Proxy to protect internal dashboards or applications with Google/GitHub/Azure AD sign-on, an attacker can phish tokens from your users. Patch to OAuth2-Proxy 7.7.1+.

The 5-Minute Audit Checklist

Run these checks against every edge host in your fleet. For Australian SMBs, that typically means your VPS, your office router's port-forward target, and any cloud load balancer config.

Check Command / Action What You're Looking For
Caddy version caddy version Anything below 2.8.5 — patch now
NGINX version + HTTP/3 nginx -V 2>&1 | grep http_v3 If present and version < 1.27.3 — patch now
HAProxy version haproxy -v 2.8.x through 3.0.x — patch to 3.0.7+ or 3.1.2+
Traefik ForwardAuth grep -r 'ForwardAuth' /etc/traefik/ Check for missing authResponseHeaders stripping
OAuth2-Proxy version oauth2-proxy --version Anything below 7.7.1 — patch now
Edge exposure scan ss -tlnp | grep -E ':(80|443|8443)' Confirm which services are internet-facing
Log review tail -1000 /var/log/nginx/access.log | grep -E '(\\\\x|%00|0d%0a)' Look for encoded attack payloads hitting your edge

If you find anything: Patch first. Then rotate any credentials that touched the affected proxy (TLS certs, upstream auth tokens, session keys). Then monitor for 72 hours.

FAQ

Q: I use Cloudflare in front of my origin — am I protected? A: Partially. Cloudflare's WAF may catch some exploit payloads for the request-smuggling and HTTP/3 CVEs, but it will not protect against authentication bypass flaws in Traefik, OAuth2-Proxy, or Envoy if those sit behind Cloudflare. Defence in depth: patch your origin proxies regardless of upstream CDN.

Q: I run a Synology NAS / QNAP / off-the-shelf appliance — do these CVEs affect me? A: Yes, if it has a reverse proxy feature enabled. Synology's Application Portal uses NGINX under the hood. Check your DSM version and the embedded NGINX version via SSH (nginx -v). Many appliances lag on upstream patches.

Q: What is the actual risk to my small business? Are attackers really targeting SMBs with these? A: Yes. Automated scanners pick up new CVEs within hours of public disclosure. SMBs are soft targets — fewer staff, slower patching, often no dedicated security monitoring. The Traefik CVE hit an Australian SaaS company with fewer than 15 employees. Size does not make you invisible; it makes you a quicker win.

Q: I cannot patch until next week's maintenance window. What now? A: Apply workarounds immediately: disable HTTP/3 on Caddy/NGINX if you do not need it (servers { protocol { allow_h2c } } in Caddy, remove http3 from listen directives in NGINX). Set failure_mode_allow: false on Envoy ExtAuth. Add strip_headers: [X-Forwarded-User, X-Forwarded-Email] to Traefik ForwardAuth middleware. Tighten your fail2ban/CrowdSec thresholds. Monitor logs hourly.

Conclusion

The edge is the first thing an attacker touches and the last thing most SMBs think about. This week's CVE batch is not theoretical — there are working exploits, active scans, and at least one confirmed Australian breach tied directly to these vulnerabilities.

Your next steps:

  1. Run the five-minute audit above on every internet-facing host.
  2. Patch anything that flags.
  3. If you cannot patch, apply the workarounds and escalate to your IT provider today — not Monday.

Need help? Visit consult.lil.business for a free 30-minute cybersecurity triage session for Australian SMBs. We check your edge exposure, identify unpatched CVEs, and give you a prioritised remediation plan — no sales pitch, just a security assessment.

References

  1. CVE-2025-24381 — Caddy HTTP/3 Memory Corruption
  2. CVE-2025-23419 — NGINX HTTP/3 Worker Crash
  3. CVE-2025-24706 — Traefik ForwardAuth Bypass
  4. CVE-2025-25744 — HAProxy HTTP/2 Rapid Reset Amplification
  5. CVE-2025-24378 — OAuth2-Proxy Open Redirect Token Theft
  6. ACSC Essential Eight Maturity Model — Patching Applications
  7. AusCERT Security Bulletin — May 2026

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation