v2.11.43

Important: Please read the migration guide.

CVE fixed:

• CVE-2026-40912 (Advisory GHSA-6jwx-7vp4-9847)
• CVE-2026-39858 (Advisory GHSA-5m6w-wvh7-57vm)
• CVE-2026-35051 (Advisory GHSA-6384-m2mw-rf54)
• CVE-2026-41263 (Advisory GHSA-6x2q-h3cr-8j2h)
• CVE-2026-41174 (Advisory GHSA-xhjw-95fp-8vgq)

Bug fixes:

• [middleware, authentication] Remove map lookup making the basic auth notFoundSecret empty (#12960 @rtribotte)
• [middleware, authentication] Fix trustForwardHeader on forward auth middleware (#12994 @juliens)
• [middleware, authentication] Cleanup and make ForwardAuth logs consistent (#13013 @kevinpollet)
• [middleware] Remove untrusted X headers with underscores (#12961 @rtribotte)
• [middleware] Sanitize the request URL after stripping the prefix (#12990 @kevinpollet)
• [k8s/crd, k8s] Honor allowCrossNamespace with chain middleware CRD (#12976 @rtribotte)