CVE-2026-32695
Received Received - Intake
Rule Injection in Traefik Knative Provider Enables Host Bypass

Publication date: 2026-03-27

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-03
Generated
2026-05-07
AI Q&A
2026-03-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32695
EUVD
EUVD-2026-16606
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
traefik traefik 3.7.0
traefik traefik to 3.6.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability enables unauthorized routing to protected services in multi-tenant clusters, leading to cross-tenant traffic exposure and internal service exposure.

Such unauthorized access and exposure of data could potentially violate compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls on data confidentiality and access.

Therefore, exploitation of this vulnerability may result in non-compliance with these regulations due to unauthorized data access and traffic routing bypassing intended restrictions.


Can you explain this vulnerability to me?

CVE-2026-32695 is a rule injection vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers. It occurs because user-controlled input values are directly interpolated into backtick-delimited router rule expressions without proper escaping or validation.

This allows an attacker to inject additional routing rules by including special characters like backticks in host or header values. For example, a malicious host value such as `tenant.example.com`) || Host(`attacker.com` can cause the router to serve attacker-controlled hosts.

The vulnerability mainly affects multi-tenant or shared Kubernetes clusters where untrusted users can create or update Knative Ingress resources, which lack proper validation on host and header fields.

This unsafe string construction leads to unauthorized routing and bypass of host restrictions, allowing attackers to route traffic to their own services.

The issue is fixed in Traefik versions 3.6.11 and 3.7.0-ea.2 by enforcing input escaping and validation.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized routing of network traffic within a multi-tenant Kubernetes cluster.

  • Attackers can bypass host restrictions and route traffic intended for legitimate services to attacker-controlled hosts.
  • It can cause cross-tenant traffic exposure, where one tenant's traffic is accessible by another tenant.
  • Internal services may be exposed to unauthorized users, potentially leading to data leakage or unauthorized access.
  • Security policies relying on host or header-based routing restrictions can be bypassed.

Overall, this can compromise the isolation and security of services in shared Kubernetes environments.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by inspecting Traefik router rules for injected or malformed host or header values that include backticks or additional operators such as || Host(`attacker.com`).

Specifically, look for Knative Ingress resources where user-controlled inputs in rules[].hosts[] or headers[].exact contain suspicious characters that could alter routing rules.

Commands to detect this might include querying Kubernetes for Knative Ingress resources and examining their host and header values for injection patterns.

  • kubectl get knativeingresses -o jsonpath='{.items[*].spec.rules[*].hosts[*]}' | grep -E '`|\|\|'
  • kubectl get knativeingresses -o jsonpath='{.items[*].spec.rules[*].headers[*].exact}' | grep -E '`|\|\|'

Additionally, reviewing Traefik router logs or configuration outputs for unexpected host or header rules containing backticks or injected operators can help identify exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Traefik to patched versions 3.6.11 or 3.7.0-ea.2 where input escaping and validation are enforced.

Restrict the creation and modification of Knative Ingress resources to trusted users only, preventing untrusted or semi-trusted users from injecting malicious routing rules.

Prefer using the Gateway API for routing configuration, as it uses safer formatting that is not vulnerable to this injection.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart