UI encodes slashes in KV paths, causing 400 errors behind Traefik v3.6+

[RebootFixesAll]

Describe the bug
The Vault UI URL-encodes forward slashes (/) in KV secret paths, converting them to %2F. This causes compatibility issues with reverse proxies like Traefik v3.6.3+, which now block encoded slashes by default for security reasons. When accessing a KV secret with a path containing slashes (e.g., my-app/production/config), the UI generates encoded paths like:

/ui/vault/secrets/secret/kv/my-app%2Fproduction%2Fconfig

Instead of the expected:

/ui/vault/secrets/secret/kv/my-app/production/config

To Reproduce
Steps to reproduce the behavior:

1. Deploy Vault behind Traefik v3.6.3+ with default settings
2. Log into the Vault UI
3. Navigate to a KV secrets engine
4. Create a new secret with a path containing slashes (e.g., my-app/production/config)
5. See 400 Bad Request error from Traefik due to encoded slashes in the request path

example logs

2025-12-17T20:10:14Z DBG github.com/traefik/traefik/v3/pkg/server/router/deny.go:52 > Rejecting request because it contains encoded character %2F in the URL path: /v1/secret/data/my-app%2Fproduction%2Fconfig

142.250.191.187 - - [17/Dec/2025:20:10:14 +0000] "POST /v1/secret/data/my-app%2Fproduction%2Fconfig HTTP/1.1" 400 0 "-" "-" 31 "vault@docker" "-" 0ms

Expected behavior

paths should not include encoded characters

Environment:

• Vault Server Version: (any recent version)
• Vault CLI Version: (any recent version)
• Server Operating System/Architecture: Linux/amd64
• Reverse Proxy: Traefik v3.6.3+

Additional context
Traefik v3.6.3 introduced security restrictions that block requests containing encoded characters in the path by default, including %2F (encoded slash). See: https://doc.traefik.io/traefik/v3.6/security/request-path/ While users can work around this by setting allowEncodedSlash: true in Traefik configuration, this reduces security posture. Ideally, the Vault UI would not encode slashes that are legitimate path separators.

docker compose for testing and verification

services:
  traefik:
    image: traefik:v3.6.5
    ports:
      - "80:80"
      - "8080:8080"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--accesslog.format=common"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  vault:
    platform: linux/x86_64
    image: hashicorp/vault:1.21
    ports:
      - '8200:8200'
    environment:
      - VAULT_DEV_ROOT_TOKEN_ID=dev-only-token
    volumes:
      - vault_data:/vault/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vault.rule=Host(`localhost`)"
      - "traefik.http.routers.vault.entrypoints=web"
      - "traefik.http.services.vault.loadbalancer.server.port=8200"

volumes:
  vault_data:

[alexleach]

Ah, an update to Traefik caused the issue, not Vault! I have been having this issue for about a week, and have been checking Vault's Issues for this since, but haven't seen any other report of this.

Some additional context from my experience, in case it will help:-

• When browsing in the Web UI, I can get as far as https://<vault_url>/ui/vault/secrets/<mount>/kv/list/users/
• When selecting the next key (my user's personal secrets mount), I get the following error:-

• In the Console debugger, I can see a 400 request to https://<vault_url>/v1/<mount>/metadata/users%2F<me>/?list=true
• If I use curl -H 'X-Vault-Token: <token> <url>, using that same url, I get an empty response.
• If I change %2f for / in the url, then I get the expected response.

I have been having to get my secrets from the CLI, which isn't very convenient; the web UI has been my method of choice to get my secrets until now...

[kk-git-admin]

I also confirm this issue as described by @alexleach , this is also make imposible to delete secret from the dashboard.
This error occurs only with traefik, when I am using cloudflare tunnel it is working well.

[tkowalczyk]

The workaround I found it to add to traefic configuration, command:

- "--entrypoints.websecure.http.encodedCharacters.allowEncodedSlash=true"

[alexleach]

The workaround I found it to add to traefic configuration, command:

- "--entrypoints.websecure.http.encodedCharacters.allowEncodedSlash=true"

I can confirm this works for me, thanks. I used the static configuration to set the value and found traefik issue comment traefik/traefik#12437 (comment) that shows the exact static configuration settings and also notes that in traefik version 3.6.5, the allowEncodedSlash setting is broken.

[heatherezell]

The workaround I found it to add to traefic configuration, command:

- "--entrypoints.websecure.http.encodedCharacters.allowEncodedSlash=true"

I can confirm this works for me, thanks. I used the static configuration to set the value and found traefik issue comment traefik/traefik#12437 (comment) that shows the exact static configuration settings and also notes that in traefik version 3.6.5, the allowEncodedSlash setting is broken.

Thanks for the link to that issue! Do you still wish to keep this issue open? Please let me know if you need further help from the Vault UI team. Thanks! :)

[lazysteff]

I’d suggest keeping this issue open, because the behavior in the UI still looks problematic independent of Traefik.

The core issue seems to be that the UI percent-encodes the entire KV path (encodeURIComponent("a/b/c") → a%2Fb%2Fc) instead of encoding individual path segments. Since / is a structural delimiter in URI paths (RFC 3986), encoding it changes the semantics of the path and leads to ambiguous or unsafe URLs.

Traefik 3.6+ is just the first proxy that started enforcing this strictly. Others are more permissive, but that’s mostly for backward compatibility rather than correctness. From a URI semantics and security point of view, rejecting encoded slashes is a reasonable default.

In other words, even though users can work around this by loosening proxy security (allowEncodedSlash=true), that feels like treating the symptom rather than the root cause. Fixing the UI to preserve / as a path separator (and only encode individual segments) would make Vault UI behave correctly behind strict proxies and avoid pushing users toward weaker proxy configs.

[RebootFixesAll]

Looks like the traefik team is reverting their breaking change

traefik/traefik#12360 (comment)

[heatherezell]

Looks like the traefik team is reverting their breaking change

traefik/traefik#12360 (comment)

Thank you for letting me know! Holler if we can do more to help on our side in the future.