Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.
Published: 2026-03-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Traffic Redirection
Action: Patch Now
AI Analysis

Impact

Traefik, an HTTP reverse proxy and load balancer, contains a vulnerability that allows an attacker with write access to an HTTPRoute resource to inject unescaped backticks into match values. This unsanitized input is processed by Traefik's router rule language, enabling the attacker to form arbitrary rule tokens. The result is an ability to bypass the listener hostname validation and redirect traffic destined for legitimate hostnames to attacker-controlled backends. The weakness is represented by CWE‑74 and CWE‑94.

Affected Systems

Affected systems are deployments of the Traefik component (cpe:2.3:a:traefik:traefik) running any version prior to 3.6.10. The vulnerability is relevant in shared gateway scenarios where tenants can modify HTTPRoute definitions. It does not affect standalone servicing of the router that is not exposed to write permissions on these resources.

Risk and Exploitability

The CVSS score for this issue is 6.1, classified as Medium severity, while the EPSS score is less than 1 %, indicating a low probability of exploitation. It is not listed in CISA’s KEV catalog. The attack vector requires possession of Kubernetes permissions to create or modify HTTPRoute objects. An attacker can then inject backtick‑delimited tokens that cause Traefik to interpret them as rules, redirecting traffic to arbitrary destinations.

Generated by OpenCVE AI on March 19, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 3.6.10 or later, which removes the vulnerability.
  • Restrict Kubernetes RBAC permissions so that only trusted users can write HTTPRoute resources in shared gateway deployments.
  • Review existing HTTPRoute configurations for unexpected backtick usage and adjust or remove them as needed.
  • Monitor network traffic for unexpected redirects to attacker-controlled endpoints.

Generated by OpenCVE AI on March 19, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8q2w-wr49-whqj Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
History

Thu, 19 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.
Title Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:22:36.189Z

Reserved: 2026-03-04T16:26:02.898Z

Link: CVE-2026-29777

cve-icon Vulnrichment

Updated: 2026-03-11T17:22:25.497Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:40.830

Modified: 2026-03-19T20:26:04.850

Link: CVE-2026-29777

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-11T15:54:17Z

Links: CVE-2026-29777 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:51Z

Weaknesses