Executive Summary

CVE-2026-32695 is a rule injection vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers. It occurs because user-controlled input values are directly interpolated into backtick-delimited router rule expressions without proper escaping or validation.

This allows an attacker to inject additional routing rules by including special characters like backticks in host or header values. For example, a malicious host value such as `tenant.example.com`) || Host(`attacker.com` can cause the router to serve attacker-controlled hosts.

The vulnerability mainly affects multi-tenant or shared Kubernetes clusters where untrusted users can create or update Knative Ingress resources, which lack proper validation on host and header fields.

This unsafe string construction leads to unauthorized routing and bypass of host restrictions, allowing attackers to route traffic to their own services.

The issue is fixed in Traefik versions 3.6.11 and 3.7.0-ea.2 by enforcing input escaping and validation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized routing of network traffic within a multi-tenant Kubernetes cluster.

• Attackers can bypass host restrictions and route traffic intended for legitimate services to attacker-controlled hosts.
• It can cause cross-tenant traffic exposure, where one tenant's traffic is accessible by another tenant.
• Internal services may be exposed to unauthorized users, potentially leading to data leakage or unauthorized access.
• Security policies relying on host or header-based routing restrictions can be bypassed.

Overall, this can compromise the isolation and security of services in shared Kubernetes environments.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting Traefik router rules for injected or malformed host or header values that include backticks or additional operators such as || Host(`attacker.com`).

Specifically, look for Knative Ingress resources where user-controlled inputs in rules[].hosts[] or headers[].exact contain suspicious characters that could alter routing rules.

Commands to detect this might include querying Kubernetes for Knative Ingress resources and examining their host and header values for injection patterns.

• kubectl get knativeingresses -o jsonpath='{.items[*].spec.rules[*].hosts[*]}' | grep -E '`|\|\|'
• kubectl get knativeingresses -o jsonpath='{.items[*].spec.rules[*].headers[*].exact}' | grep -E '`|\|\|'

Additionally, reviewing Traefik router logs or configuration outputs for unexpected host or header rules containing backticks or injected operators can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Traefik to patched versions 3.6.11 or 3.7.0-ea.2 where input escaping and validation are enforced.

Restrict the creation and modification of Knative Ingress resources to trusted users only, preventing untrusted or semi-trusted users from injecting malicious routing rules.

Prefer using the Gateway API for routing configuration, as it uses safer formatting that is not vulnerable to this injection.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability enables unauthorized routing to protected services in multi-tenant clusters, leading to cross-tenant traffic exposure and internal service exposure.

Such unauthorized access and exposure of data could potentially violate compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls on data confidentiality and access.

Therefore, exploitation of this vulnerability may result in non-compliance with these regulations due to unauthorized data access and traffic routing bypassing intended restrictions.

Useful 0 Not Useful 0