{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32695", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.822Z", "datePublished": "2026-03-27T13:47:03.645Z", "dateUpdated": "2026-03-27T13:47:03.645Z"}, "containers": {"cna": {"title": "Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 3.6.11", "status": "affected"}, {"version": ">= 3.7.0-ea.1, < 3.7.0-ea.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T13:47:03.645Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue."}], "source": {"advisory": "GHSA-67jx-r9pv-98rj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue."}], "id": "CVE-2026-32695", "lastModified": "2026-03-27T14:16:08.537", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T14:16:08.537", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T15:58:18.691716+00:00", "value": {"mitigation_remediation": ["Upgrade Traefik to version 3.6.11 or later, or 3.7.0-ea.2 and above", "If an immediate upgrade is not feasible, restrict who can manage Knative ingress rules or disable the Knative provider in sensitive environments", "Monitor the cluster for unexpected host entries in Knative rules and alert on changes", "Review configuration policies to enforce host restriction validation"], "summary": {"action": "Patch Immediately", "impact": "Cross-tenant traffic exposure by bypassing host restrictions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects deployments of Traefik 3.6.x versions prior to 3.6.11 and 3.7.x versions earlier than 3.7.0-ea.2 when the Knative provider is enabled. This impact is most relevant in multi-tenant Kubernetes clusters where separate teams rely on host restrictions for service isolation.", "description_and_impact": "Traefik, an HTTP reverse proxy and load balancer, allowed attackers to inject unescaped host and header values into Knative ingress rules. The flaw, a classic case of unsafe string interpolation, is categorized under CWE-74. By inserting crafted host patterns such as tenant.example.com||Host(`attacker.com`), an attacker can force the proxy to route traffic to arbitrary services, effectively bypassing intended host restrictions. This can expose internal services to unauthorized users and compromise confidentiality and integrity within a multi-tenant cluster.", "risk_and_exploitability": "The CVSS base score of 6.3 indicates a medium severity flaw. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to create or modify Knative ingress rules, which typically requires cluster-level configuration access. Based on the description, the attack vector is inferred to involve privileged configuration changes rather than remote network entry. Once executed, the rule injection can redirect traffic to attacker-controlled hosts, allowing unauthorized cross-tenant traffic exposure."}}}}, "created": "2026-03-27T20:28:51.444726+00:00", "updated": "2026-03-27T20:28:51.444756+00:00", "vendors": []}