CVE-2026-32695

MEDIUM EPSS 32.8%
Published Mar 27, 20263mo ago · Modified Jun 17, 20261w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Mar 27, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
32.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-74

Affected Products 2

VendorProductVersionRange
traefiktraefik* <3.6.11
traefiktraefik3.7.0any

References 3

  • github.com https://github.com/traefik/traefik/releases/tag/v3.6.11
    ProductRelease Notes
  • github.com https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2
    ProductRelease Notes
  • github.com https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj
    ExploitPatchVendor Advisory