Bug fixes:

• [k8s/ingress-nginx] Skip ingress when auth-secret resolution fails (#13323 @gndz07)
• [k8s/ingress-nginx] Pass endpointslice fencing on ingress-nginx provider (#13290 @Learloj)
• [k8s/gatewayapi] Reject cross-provider references with backendRefs.namespace (#13322 @youkoulayley)
• [server] Bump to github.com/pires/go-proxyproto v0.12.0 (#13313 @timschumi)
• [tls] Fix routers with same host, different tlsoptions on different entryPoint (#13329 @juliens)
• [tls] Fix snicheck for routers with no hosts (#13333 @rtribotte)

Bug fixes:

• [k8s/gatewayapi] Reject cross-provider references with backendRefs.namespace (#13322 @youkoulayley)
• [server] Bump to github.com/pires/go-proxyproto v0.12.0 (#13313 @timschumi)
• [tls] Fix routers with same host, different tlsoptions on different entryPoint (#13329 @juliens)
• [tls] Fix snicheck for routers with no hosts (#13333 @rtribotte)

Bug fixes:

• [tls] Fix routers with same host, different tlsoptions on different entryPoint (#13329 @juliens)
• [tls] Fix snicheck for routers with no hosts (#13333 @rtribotte)

Bug fixes:

• [middleware] Fix redis write timeout option configuration (#13273 @bzyy1024)
• [webui] Bump react-router and jsdom (#13301 @gndz07)
• [k8s/gatewayapi] Fix BackendTLSPolicy status update (#13306 @AnatoleLucet)
• [http3] Bump github.com/quic-go/quic-go to v0.59.1 (#13300 @rtribotte)
• [webui] Bump axios to v1.17.0 (#13299 @gndz07)
• [tls] Fix snicheck with keepalive (#13305 @juliens)

Bug fixes:

• [middleware] Fix redis write timeout option configuration (#13273 @bzyy1024)
• [webui] Bump react-router and jsdom (#13301 @gndz07)
• [k8s/gatewayapi] Fix BackendTLSPolicy status update (#13306 @AnatoleLucet)
• [http3] Bump github.com/quic-go/quic-go to v0.59.1 (#13300 @rtribotte)
• [webui] Bump axios to v1.17.0 (#13299 @gndz07)
• [tls] Fix snicheck with keepalive (#13305 @juliens)

Bug fixes:

• [http3] Bump github.com/quic-go/quic-go to v0.59.1 (#13300 @rtribotte)
• [webui] Bump axios to v1.17.0 (#13299 @gndz07)
• [tls] Fix snicheck with keepalive (#13305 @juliens)

Important: Please read the migration guide.

CVE fixed:

• CVE-2026-48020 (Advisory GHSA-xf64-8mw2-4gr2)
• CVE-2026-48491 (Advisory GHSA-5r4w-85f3-pw66)
• CVE-2026-53622 (Advisory GHSA-9cr8-q42q-g8m7)

Bug fixes:

• [tls] Compute resolved tlsOptions after applying models (#13291 @rtribotte)
• [webui, tcp] Fix TCP router service resolution in dashboard flow diagram (#13155 @aliamerj)
• [k8s/ingress-nginx] Trim quotes from proxy_set_header header name (#13203 @crisbal)
• [accesslogs] Escape double quotes in quoted log fields (#13180 @KaanSimsek)
• [k8s/gatewayapi] Escape exact gRPC method matches (#13201 @nickmnt)
• [logs, middleware] Allow query parameters to be dropped from RequestPath in access log (#13091 @calinelson)
• [k8s/ingress-nginx] Clear Ssl-Client-* headers when no client certificate is present (#13260 @gndz07)
• [k8s/gatewayapi] Bump github.com/moby/spdystream to v0.5.1 (#13252 @kevinpollet)
• [file] Improve file provider behavior regarding dangling symlinks (#12449 @fh-yuxiao-zeng)
• [server] Bump github.com/bytedance/sonic to v1.15.1 (#13254 @kevinpollet)
• [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
• [k8s/ingress] Avoid ingress path matcher injection and backport 11d2514 (#13227 @rtribotte)
• [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
• [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
• [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
• [k8s/gatewayapi] Change default values and expose configuration for Kubernetes client QPS and Burst (#13277 @kevinpollet)
• [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)

Documentation:

• [k8s] Document new chart behavior on Gateway API (#13167 @mloiseleur)
• [file] Replace generated File routing reference page (#13170 @sheddy-traefik)
• [k8s/crd] Fix typo in accesslogs field name (#13177 @PlayMTL)
• [k8s/ingress-nginx] Surface the Ingress status race condition during NGINX coexistence (#13205 @emilevauge)
• Polish grammar in migration guides (#13174 @quyentonndbs)
• [middleware] Remove whitespace in HTML tag (#13160 @marbon87)
• Add @LBF38 as a current maintainer (#13225 @emilevauge)
• Add ingressClassName to Kubernetes CRD provider migration guide (#13248 @kevinpollet)
• [k8s/ingress-nginx] Add nginx.ingress.kubernetes.io/enable-global-auth to the list of supported annotations (#13219 @filip2mac)
• [k8s/ingress-nginx] Capitalize NGINX in kubernetesIngressNGINX (#13236 @smellems)

Important: Please read the migration guide.

CVE fixed:

• CVE-2026-48020 (Advisory GHSA-xf64-8mw2-4gr2)

Bug fixes:

• [tls] Compute resolved tlsOptions after applying models (#13291 @rtribotte)
• [accesslogs] Escape double quotes in quoted log fields (#13180 @KaanSimsek)
• [k8s/gatewayapi] Escape exact gRPC method matches (#13201 @nickmnt)
• [logs, middleware] Allow query parameters to be dropped from RequestPath in access log (#13091 @calinelson)
• [k8s/gatewayapi] Bump github.com/moby/spdystream to v0.5.1 (#13252 @kevinpollet)
• [file] Improve file provider behavior regarding dangling symlinks (#12449 @fh-yuxiao-zeng)
• [server] Bump github.com/bytedance/sonic to v1.15.1 (#13254 @kevinpollet)
• [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
• [k8s/ingress] Avoid ingress path matcher injection and backport 11d2514 (#13227 @rtribotte)
• [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
• [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
• [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
• [k8s/gatewayapi] Change default values and expose configuration for Kubernetes client QPS and Burst (#13277 @kevinpollet)
• [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)

Documentation:

• [file] Replace generated File routing reference page (#13170 @sheddy-traefik)
• [k8s/crd] Fix typo in accesslogs field name (#13177 @PlayMTL)
• [k8s/ingress-nginx] Surface the Ingress status race condition during NGINX coexistence (#13205 @emilevauge)
• Polish grammar in migration guides (#13174 @quyentonndbs)
• [middleware] Remove whitespace in HTML tag (#13160 @marbon87)
• Add @LBF38 as a current maintainer (#13225 @emilevauge)
• [k8s/ingress-nginx] Capitalize NGINX in kubernetesIngressNGINX (#13236 @smellems)

Important: Please read the migration guide.

CVE fixed:

• CVE-2026-48020 (Advisory GHSA-xf64-8mw2-4gr2)

Bug fixes:

• [tls] Compute resolved tlsOptions after applying models (#13291 @rtribotte)
• [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
• [k8s/ingress] Avoid ingress path matcher injection and backport 11d2514 (#13227 @rtribotte)
• [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
• [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
• [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
• [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)

Important: Please read the migration guide.

CVE fixed:

• CVE-2026-44774 (Advisory GHSA-96qj-4jj5-wcjc)

Bug fixes:

• [k8s/ingress, k8s/crd, k8s/gatewayapi] Add CrossProviderNamespaces option (#13094 @rtribotte)
• [k8s/crd] Fix cross-provider ref check for Kubernetes CRD provider (#13121 @rtribotte)