CVE-2026-29777

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 3.6.10

Description Traefik is an HTTP reverse proxy and load balancer. A tenant with write access to an HTTPRoute resource can inject rule tokens into Traefik’s router rule language through unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. The issue arises because the Kubernetes gateway provider formats rule strings using backticks as string delimiters, and tenant-controlled input within HTTPRoute objects can include backticks and operator tokens, altering the parsed abstract syntax tree (AST). This allows an attacker to inject additional rule tokens, potentially enabling cross-tenant routing hijack in shared gateway deployments. The buildHeaderRules and buildQueryParamRules functions in pkg/provider/kubernetes/gateway/httproute.go, along with similar functions in other modules, are responsible for building rules without proper escaping. The vulnerability can lead to credential or token capture and request forgery, depending on the workload behind the gateway.

Recommendations Versions prior to 3.6.10 are vulnerable and should be updated to version 3.6.10 or later. Encode rule arguments using injection-safe quoting, or reject/escape backticks and other rule-language metacharacters before interpolation. Add regression tests that include backticks and operator tokens inside header/query match values and assert they cannot change the parse tree.