CVE-2026-32695

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 3.6.11 and 3.7.0-ea.2

Description Traefik’s Knative provider constructs router rules by incorporating user-provided values into rule expressions without proper sanitization. Specifically, the rules[].hosts[] field in Knative configurations is susceptible to host restriction bypass, allowing an attacker to inject malicious host entries (e.g., tenant.example.com) || Host(attacker.com) and serve attacker-controlled hosts. The headers[].exact field also permits rule-syntax injection, leading to unsafe rule construction. This issue poses a significant risk in multi-tenant clusters, potentially enabling unauthorized traffic routing to victim services and exposing cross-tenant traffic. The vulnerability stems from the use of fmt.Sprintf with backtick-delimited literals, which allows malicious input containing backticks to terminate literals and inject additional operators into Traefik’s rule language. A proof-of-concept (PoC) demonstrates the injection of host and header rules, bypassing intended routing restrictions.

Recommendations Upgrade to Traefik version 3.6.11 or 3.7.0-ea.2 to address this issue.