Skip to main content

Traefik CVE-2026-32695

| EUVDEUVD-2026-16606 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-27 GitHub_M
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
MEDIUM
qualitative
Red Hat
7.7 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 14:00 euvd
EUVD-2026-16606
Analysis Generated
Mar 27, 2026 - 14:00 vuln.today
CVE Published
Mar 27, 2026 - 13:47 nvd
MEDIUM 6.3

DescriptionCVE.org

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative rules[].hosts[] was exploitable for host restriction bypass (for example tenant.example.com) || Host(attacker.com), producing a router that serves attacker-controlled hosts. Knative headers[].exact also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue.

AnalysisAI

Traefik's Knative provider fails to escape user-controlled values when interpolating host and header rules into backtick-delimited expressions, allowing attackers to inject rule syntax and bypass host restrictions in multi-tenant clusters. Versions prior to 3.6.11 and 3.7.0-ea.2 are affected. An attacker can craft malicious Knative ingress configurations to route traffic intended for one tenant to attacker-controlled hosts, enabling unauthorized cross-tenant traffic exposure and service impersonation.

Technical ContextAI

Traefik (cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*) is an HTTP reverse proxy and load balancer that supports Kubernetes Knative ingress controllers. The vulnerability stems from improper input validation classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The Knative provider dynamically constructs router rules by directly interpolating user-supplied values (from rules[].hosts[] and headers[].exact fields) into backtick-delimited rule expressions without sanitization or escaping. These expressions use Traefik's rule syntax, which supports logical operators like || and function calls like Host(). An attacker controlling Knative resource definitions can inject syntax such as || Host(attacker.com) to expand the match criteria and bypass intended routing policies.

RemediationAI

Upgrade Traefik immediately to version 3.6.11 or later (for 3.6.x users) or version 3.7.0-ea.2 or later (for 3.7.x users). For users unable to patch immediately, restrict Knative ingress resource creation and modification via Kubernetes RBAC to only trusted administrator accounts, and audit existing Knative ingress definitions for suspicious rule syntax in rules[].hosts[] and headers[].exact fields. Additionally, implement network policies to isolate tenant traffic at the pod level and monitor Traefik routing decisions for unexpected cross-tenant traffic patterns. See https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj for complete remediation guidance.

CVE-2023-47633 HIGH POC
7.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is re

CVE-2019-12452 HIGH POC
7.5 May 29

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable

CVE-2023-47106 MEDIUM POC
6.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2022-23469 MEDIUM POC
6.5 Dec 08

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2025-32431 HIGH
8.8 Apr 21

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-54365 HIGH
8.7 Jun 23

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inheri

CVE-2020-15129 MEDIUM POC
4.7 Jul 30

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik

CVE-2021-32813 HIGH
8.1 Aug 03

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely explo

CVE-2026-54763 HIGH
7.8 Jul 06

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker

CVE-2026-32305 HIGH
7.8 Mar 20

Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to ci

CVE-2026-26999 HIGH
7.5 Mar 05

Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS re

CVE-2026-25949 HIGH
7.5 Feb 12

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resou

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-32695 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy