Containous · Traefik · CVE-2026-32695
**Name of the Vulnerable Software and Affected Versions**
Traefik versions prior to 3.6.11 and 3.7.0-ea.2
**Description**
Traefik’s Knative provider constructs router rules by incorporating user-provided values into rule expressions without proper sanitization. Specifically, the `rules[].hosts[]` field in Knative configurations is susceptible to host restriction bypass, allowing an attacker to inject malicious host entries (e.g., `tenant.example.com`) || Host(`attacker.com`) and serve attacker-controlled hosts. The `headers[].exact` field also permits rule-syntax injection, leading to unsafe rule construction. This issue poses a significant risk in multi-tenant clusters, potentially enabling unauthorized traffic routing to victim services and exposing cross-tenant traffic. The vulnerability stems from the use of `fmt.Sprintf` with backtick-delimited literals, which allows malicious input containing backticks to terminate literals and inject additional operators into Traefik’s rule language. A proof-of-concept (PoC) demonstrates the injection of host and header rules, bypassing intended routing restrictions.
**Recommendations**
Upgrade to Traefik version 3.6.11 or 3.7.0-ea.2 to address this issue.