GHSA-8Q2W-WR49-WHQJ

Vulnerability from github – Published: 2026-03-11 14:49 – Updated: 2026-03-13 13:32
VLAI?
Summary
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
Details

Summary

There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection.

A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends.

Patches

  • https://github.com/traefik/traefik/releases/tag/v3.6.10

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description hey Traefik, repo: https://github.com/traefik/traefik commit: a4a91344edcdd6276c1b766ca19ee3f0e346480f (as-of 2026-03-02) traefik's kubernetes gateway provider builds router rules by interpolating HTTPRoute match values into the traefik rule language using backtick-delimited string literals (e.g., `Header(`name`,`value`)`, `Query(`name`,`value`)`) without escaping or validation. because backtick is a delimiter in the rule language, a tenant-controlled backtick can terminate the literal and inject additional rule tokens (for example `) || HostRegexp(`.\*`) || ...`). this changes the parsed ast so that an injected OR branch is not gated by the intended `Host(...)` constraint due to operator precedence, and can result in end-to-end routing hijack (victim host routed to attacker backends). in shared gateway deployments that rely on gateway API listener hostname constraints to isolate tenants, this can enable cross-tenant routing hijack to attacker-controlled backends. ## expected vs actual expected: provider-generated rules must be injection-safe; tenant-controlled match values must not be able to change the rule parse tree beyond literal argument content, especially across listener hostname-constraint boundaries in shared gateway deployments. actual: a backtick inside a header/query match value can inject an OR branch into the generated rule, changing the ast root from `and` to `or` and enabling hostname-constraint bypass. ## severity HIGH (impact ceiling may reach the top severity tier in shared gateway threat models; end-to-end kubernetes reproduction is recommended to demonstrate cross-tenant routing impact). CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N = 8.7 cwe: CWE-74 (improper neutralization of special elements in output used by a downstream component) ## affected versions - confirmed vulnerable at: a4a91344edcdd6276c1b766ca19ee3f0e346480f (pinned commit) - release matrix: not yet confirmed (needs version mapping for gateway api provider in v3) ## affected code - `pkg/provider/kubernetes/gateway/httproute.go`: `buildHeaderRules` and `buildQueryParamRules` build `Header(`%s`,`%s`)` / `Query(`%s`,`%s`)` without escaping - `pkg/provider/kubernetes/gateway/grpcroute.go`: `buildGRPCHeaderRules` builds `Header(`%s`,`%s`)` / `HeaderRegexp(`%s`,`%s`)` without escaping - `pkg/provider/kubernetes/knative/kubernetes.go`: `buildRule` builds `Header(`%s`,`%s`)` without escaping - the generated rule string is parsed by `pkg/muxer/http/parser.go` (predicate-based rule parser) - github permalinks (pinned): - https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/provider/kubernetes/gateway/httproute.go#L742 - https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/provider/kubernetes/gateway/httproute.go#L761 ## root cause the kubernetes gateway provider formats rule strings using backticks as string delimiters: 
rules = append(rules, fmt.Sprintf("Header(`%s`,`%s`)", header.Name, header.Value))
rules = append(rules, fmt.Sprintf("Query(`%s`,`%s`)", qp.Name, qp.Value))
if `header.Value` (or `qp.Value`) contains a backtick and operator tokens, it can terminate the literal and inject additional rule-language tokens, changing the parse tree. ## attacker control attacker-controlled input is the kubernetes control plane object `HTTPRoute` in a tenant namespace. the attacker controls: 1. `HTTPRoute.Spec.Rules[].Matches[].Headers[].Value` and/or `QueryParams[].Value` (string) 2. the payload content, including backticks and rule tokens ## impact in shared gateway setups, this can bypass gateway API listener hostname constraints, causing requests for victim hostnames to be routed to attacker backends. downstream effects can include credential/token capture and request forgery, depending on the workload behind the gateway. traefik's documentation frames gateway API as providing safer multi-tenant primitives via listener constraints (see https://doc.traefik.io/traefik/security/multi-tenant-kubernetes/). rule injection breaks those constraints when they are relied upon as a boundary. ## reproduction (attachment: poc.zip) attachment includes `poc.zip` with an integration PoC that: - shows canonical behavior where injection changes the parsed ast root to `or` and routes `victim.com` to the attacker handler (emits `[PROOF_MARKER]`) - shows a negative control using injection-safe quoting (`%q`) where the ast root remains `and` and routes `victim.com` to the victim handler (emits `[NC_MARKER]`) run canonical: 
unzip poc.zip -d poc
cd poc
make canonical
canonical output excerpt: 
[CALLSITE_HIT]
[PROOF_MARKER]
run control: 
unzip poc.zip -d poc
cd poc
make control
control output excerpt: 
[NC_MARKER]
## recommended fix encode rule arguments using injection-safe quoting (for example `fmt.Sprintf("Header(%q,%q)", name, value)`), or otherwise reject/escape backticks and other rule-language metacharacters before interpolation. add regression tests that include backticks and operator tokens inside header/query match values and assert they cannot change the parse tree. **fix accepted when:** tenant-controlled HTTPRoute match values cannot inject operators into the generated rule string and cannot change the resulting parsed ast structure. [[poc.zip](https://github.com/user-attachments/files/25698814/poc.zip)](https://github.com/user-attachments/files/25698814/poc.zip) [[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25698815/PR_DESCRIPTION.md)](https://github.com/user-attachments/files/25698815/PR_DESCRIPTION.md) [[attack_scenario.md](https://github.com/user-attachments/files/25698816/attack_scenario.md)](https://github.com/user-attachments/files/25698816/attack_scenario.md) cheers, Oleh Konko
Severity ?
6.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.9"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.11.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T14:49:44Z",
    "nvd_published_at": "2026-03-11T16:16:40Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThere is a potential vulnerability in Traefik\u0027s Kubernetes Gateway provider related to rule injection.\n\nA tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik\u0027s router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.6.10\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\nhey Traefik,\n\n\nrepo: https://github.com/traefik/traefik\ncommit: a4a91344edcdd6276c1b766ca19ee3f0e346480f (as-of 2026-03-02)\n\ntraefik\u0027s kubernetes gateway provider builds router rules by interpolating HTTPRoute match values into the traefik rule language using backtick-delimited string literals (e.g., `Header(`name`,`value`)`, `Query(`name`,`value`)`) without escaping or validation.\n\nbecause backtick is a delimiter in the rule language, a tenant-controlled backtick can terminate the literal and inject additional rule tokens (for example `) || HostRegexp(`.\\*`) || ...`). this changes the parsed ast so that an injected OR branch is not gated by the intended `Host(...)` constraint due to operator precedence, and can result in end-to-end routing hijack (victim host routed to attacker backends).\n\nin shared gateway deployments that rely on gateway API listener hostname constraints to isolate tenants, this can enable cross-tenant routing hijack to attacker-controlled backends.\n\n## expected vs actual\n\nexpected: provider-generated rules must be injection-safe; tenant-controlled match values must not be able to change the rule parse tree beyond literal argument content, especially across listener hostname-constraint boundaries in shared gateway deployments.\n\nactual: a backtick inside a header/query match value can inject an OR branch into the generated rule, changing the ast root from `and` to `or` and enabling hostname-constraint bypass.\n\n## severity\n\nHIGH (impact ceiling may reach the top severity tier in shared gateway threat models; end-to-end kubernetes reproduction is recommended to demonstrate cross-tenant routing impact).\n\nCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N = 8.7\n\ncwe: CWE-74 (improper neutralization of special elements in output used by a downstream component)\n\n## affected versions\n\n- confirmed vulnerable at: a4a91344edcdd6276c1b766ca19ee3f0e346480f (pinned commit)\n- release matrix: not yet confirmed (needs version mapping for gateway api provider in v3)\n\n## affected code\n\n- `pkg/provider/kubernetes/gateway/httproute.go`: `buildHeaderRules` and `buildQueryParamRules` build `Header(`%s`,`%s`)` / `Query(`%s`,`%s`)` without escaping\n- `pkg/provider/kubernetes/gateway/grpcroute.go`: `buildGRPCHeaderRules` builds `Header(`%s`,`%s`)` / `HeaderRegexp(`%s`,`%s`)` without escaping\n- `pkg/provider/kubernetes/knative/kubernetes.go`: `buildRule` builds `Header(`%s`,`%s`)` without escaping\n- the generated rule string is parsed by `pkg/muxer/http/parser.go` (predicate-based rule parser)\n- github permalinks (pinned):\n  - https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/provider/kubernetes/gateway/httproute.go#L742\n  - https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/provider/kubernetes/gateway/httproute.go#L761\n\n## root cause\n\nthe kubernetes gateway provider formats rule strings using backticks as string delimiters:\n\n```go\nrules = append(rules, fmt.Sprintf(\"Header(`%s`,`%s`)\", header.Name, header.Value))\nrules = append(rules, fmt.Sprintf(\"Query(`%s`,`%s`)\", qp.Name, qp.Value))\n```\n\nif `header.Value` (or `qp.Value`) contains a backtick and operator tokens, it can terminate the literal and inject additional rule-language tokens, changing the parse tree.\n\n## attacker control\n\nattacker-controlled input is the kubernetes control plane object `HTTPRoute` in a tenant namespace. the attacker controls:\n\n1. `HTTPRoute.Spec.Rules[].Matches[].Headers[].Value` and/or `QueryParams[].Value` (string)\n2. the payload content, including backticks and rule tokens\n\n## impact\n\nin shared gateway setups, this can bypass gateway API listener hostname constraints, causing requests for victim hostnames to be routed to attacker backends. downstream effects can include credential/token capture and request forgery, depending on the workload behind the gateway.\n\ntraefik\u0027s documentation frames gateway API as providing safer multi-tenant primitives via listener constraints (see https://doc.traefik.io/traefik/security/multi-tenant-kubernetes/). rule injection breaks those constraints when they are relied upon as a boundary.\n\n## reproduction (attachment: poc.zip)\n\nattachment includes `poc.zip` with an integration PoC that:\n\n- shows canonical behavior where injection changes the parsed ast root to `or` and routes `victim.com` to the attacker handler (emits `[PROOF_MARKER]`)\n- shows a negative control using injection-safe quoting (`%q`) where the ast root remains `and` and routes `victim.com` to the victim handler (emits `[NC_MARKER]`)\n\nrun canonical:\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake canonical\n```\n\ncanonical output excerpt:\n\n```\n[CALLSITE_HIT]\n[PROOF_MARKER]\n```\n\nrun control:\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake control\n```\n\ncontrol output excerpt:\n\n```\n[NC_MARKER]\n```\n\n## recommended fix\n\nencode rule arguments using injection-safe quoting (for example `fmt.Sprintf(\"Header(%q,%q)\", name, value)`), or otherwise reject/escape backticks and other rule-language metacharacters before interpolation. add regression tests that include backticks and operator tokens inside header/query match values and assert they cannot change the parse tree.\n\n**fix accepted when:** tenant-controlled HTTPRoute match values cannot inject operators into the generated rule string and cannot change the resulting parsed ast structure.\n\n\n[[poc.zip](https://github.com/user-attachments/files/25698814/poc.zip)](https://github.com/user-attachments/files/25698814/poc.zip)\n[[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25698815/PR_DESCRIPTION.md)](https://github.com/user-attachments/files/25698815/PR_DESCRIPTION.md)\n[[attack_scenario.md](https://github.com/user-attachments/files/25698816/attack_scenario.md)](https://github.com/user-attachments/files/25698816/attack_scenario.md)\n\n\ncheers,\nOleh Konko\n\n\u003c/details\u003e",
  "id": "GHSA-8q2w-wr49-whqj",
  "modified": "2026-03-13T13:32:45Z",
  "published": "2026-03-11T14:49:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29777"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.