DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32695: CVE-2026-32695: Ingress Rule Injection and Host Restriction Bypass in Traefik

#security #cve #cybersecurity

CVE-2026-32695: Ingress Rule Injection and Host Restriction Bypass in Traefik

Vulnerability ID: CVE-2026-32695
CVSS Score: 6.3
Published: 2026-03-27

Traefik Kubernetes providers (Knative, Ingress, and Ingress-NGINX) fail to properly sanitize user-controlled input during the generation of internal routing rules. This improper neutralization allows authenticated users to inject arbitrary Domain-Specific Language (DSL) syntax via unescaped string interpolation. Exploitation enables malicious tenants to bypass host restrictions and intercept cross-tenant traffic in multi-tenant cluster environments.

TL;DR

An injection flaw in Traefik's Kubernetes providers allows authenticated users to bypass host restrictions by embedding unescaped backticks in Ingress resource definitions, leading to unauthorized cross-tenant traffic routing.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-74
  • Attack Vector: Network
  • Privileges Required: Low
  • CVSS Score: 6.3 (Medium)
  • Impact: Host Restriction Bypass, Traffic Hijacking
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • Traefik Kubernetes Ingress Provider
  • Traefik Kubernetes Ingress-NGINX Provider
  • Traefik Kubernetes Knative Provider
  • Traefik: < 3.6.11 (Fixed in: 3.6.11)
  • Traefik: >= 3.7.0-ea.1, < 3.7.0-ea.2 (Fixed in: 3.7.0-ea.2)

Code Analysis

Commit: 11d2514

Fix: Replace unescaped %v/%s with %q to securely quote string interpolation in Kubernetes provider rule generation.

- hostRules = append(hostRules, fmt.Sprintf("Host(`%v`)", host))
+ hostRules = append(hostRules, fmt.Sprintf("Host(%q)", host))
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Traefik instances to fully patched versions (3.6.11+ or 3.7.0-ea.2+).
  • Implement Validating Admission Controllers in Kubernetes to reject Ingress resources containing backticks in the host or header definitions.
  • Enforce strict Role-Based Access Control (RBAC) to limit which users and service accounts can create or modify Ingress and Knative resources.
  • Audit existing Traefik routing rules for unexpected logical operators or composite host definitions.

Remediation Steps:

  1. Identify all Traefik deployments within the cluster environment and determine the current running versions.
  2. Update the container image tags in the Traefik deployment manifests or Helm charts to point to 'v3.6.11' or 'v3.7.0-ea.2'.
  3. Apply the updated manifests using 'kubectl apply' or 'helm upgrade' and verify the Traefik pods restart successfully.
  4. Deploy an OPA Gatekeeper constraint to monitor and block any new Ingress creation attempts containing the '`' character in relevant fields.
  5. Review the RBAC roles associated with Ingress creation and revoke permissions from non-essential users.

References

Read the full report for CVE-2026-32695 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)