Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative rules[].hosts[] was exploitable for host restriction bypass (for example tenant.example.com) || Host(attacker.com), producing a router that serves attacker-controlled hosts. Knative headers[].exact also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue.
AnalysisAI
Traefik's Knative provider fails to escape user-controlled values when interpolating host and header rules into backtick-delimited expressions, allowing attackers to inject rule syntax and bypass host restrictions in multi-tenant clusters. Versions prior to 3.6.11 and 3.7.0-ea.2 are affected. An attacker can craft malicious Knative ingress configurations to route traffic intended for one tenant to attacker-controlled hosts, enabling unauthorized cross-tenant traffic exposure and service impersonation.
Technical ContextAI
Traefik (cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*) is an HTTP reverse proxy and load balancer that supports Kubernetes Knative ingress controllers. The vulnerability stems from improper input validation classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The Knative provider dynamically constructs router rules by directly interpolating user-supplied values (from rules[].hosts[] and headers[].exact fields) into backtick-delimited rule expressions without sanitization or escaping. These expressions use Traefik's rule syntax, which supports logical operators like || and function calls like Host(). An attacker controlling Knative resource definitions can inject syntax such as || Host(attacker.com) to expand the match criteria and bypass intended routing policies.
RemediationAI
Upgrade Traefik immediately to version 3.6.11 or later (for 3.6.x users) or version 3.7.0-ea.2 or later (for 3.7.x users). For users unable to patch immediately, restrict Knative ingress resource creation and modification via Kubernetes RBAC to only trusted administrator accounts, and audit existing Knative ingress definitions for suspicious rule syntax in rules[].hosts[] and headers[].exact fields. Additionally, implement network policies to isolate tenant traffic at the pod level and monitor Traefik routing decisions for unexpected cross-tenant traffic patterns. See https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj for complete remediation guidance.
Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is re
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable
Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is
Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerabil
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inheri
In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik
Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely explo
Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker
Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to ci
Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS re
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resou
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16606