Traefik’s Kubernetes Gateway API provider originally allowed a tenant who could create HTTPRoutes to reference any TraefikService backend whose name ended with @internal. Because of this oversight, a user could route traffic to the rest@internal endpoint even when the providers.rest.insecure=false flag was set, effectively bypassing the intended restriction. The exposed REST handler grants live, dynamic configuration write access to the Traefik instance, allowing the malicious actor to modify routers, services, and other configuration elements. The flaw is a classical example of a privilege escalation and configuration tampering weakness, as described by CWE-284.

This issue affects the Traefik reverse proxy and load balancer for all versions prior to 2.11.46, 3.6.17, and 3.7.1. Deployments that run shared Gateway APIs and enable the REST provider are at risk when a low‑privileged user is granted the ability to create HTTPRoutes.

The CVSS score of 6.4 indicates moderate severity, and there is no EPSS score available, which suggests limited observable exploitation data at this time. The vulnerability is not currently listed in the CISA KEV catalog. An attacker would need legitimate permission to create HTTPRoute resources, which is a prerequisite that limits the attack surface to environments with overly permissive role‑based access control. Once an attacker has that permission, the exploitation path is straightforward: they create or modify an HTTPRoute to reference rest@internal and then interact with the REST API to reconfigure Traefik. No additional foothold or privilege escalation beyond the existing permissions is required.