CVE-2026-32695 Overview
CVE-2026-32695 is an Injection vulnerability affecting Traefik, an HTTP reverse proxy and load balancer. The vulnerability exists in Traefik's Knative provider, which builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without proper escaping. This flaw allows attackers to inject malicious rule syntax, enabling host restriction bypass and unauthorized traffic routing.
Critical Impact
In multi-tenant Kubernetes clusters, attackers can exploit this vulnerability to route unauthorized traffic to victim services, leading to cross-tenant traffic exposure and potential data breaches.
Affected Products
- Traefik versions prior to 3.6.11
- Traefik versions prior to 3.7.0-ea.2
- Traefik deployments using the Knative provider
Discovery Timeline
- 2026-03-27 - CVE-2026-32695 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-32695
Vulnerability Analysis
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as Injection. The flaw resides in how Traefik's Knative provider constructs router rules dynamically. When processing Knative resources, the provider interpolates user-supplied values directly into rule expressions using backtick delimiters without sanitizing or escaping special characters.
The attack exploits two specific Knative configuration vectors: the rules[].hosts[] array and headers[].exact values. An attacker with the ability to create or modify Knative resources can craft malicious values that break out of the intended rule context and inject arbitrary routing logic.
Root Cause
The root cause is insufficient input validation and lack of output encoding when constructing Traefik router rules from Knative configuration values. The Knative provider trusts user-controlled data and directly concatenates it into rule expressions, allowing attackers to escape the intended rule boundaries using special characters like backticks and parentheses.
Attack Vector
The attack requires network access and low-level privileges (the ability to create Knative resources in a cluster). An attacker can exploit this vulnerability by defining a malicious host value in a Knative Ingress resource. For example, setting a host value to tenant.example.com) || Host(attacker.com causes Traefik to generate a router rule that matches both the legitimate tenant domain and an attacker-controlled domain.
This manipulation effectively bypasses host-based access controls. In multi-tenant environments, an attacker in one tenant namespace could route traffic intended for their domain through to services belonging to another tenant, or conversely, intercept traffic by making their malicious host respond to requests meant for victim services.
The headers[].exact configuration presents a similar attack surface, allowing injection of arbitrary rule syntax through header matching configurations. Both vectors demonstrate the unsafe construction of routing rules from untrusted input.
Detection Methods for CVE-2026-32695
Indicators of Compromise
- Knative Ingress resources containing unexpected special characters (backticks, parentheses, pipe operators) in hosts[] values
- Traefik router configurations showing multiple host matchers combined with logical OR operators unexpectedly
- Traffic logs indicating requests for unexpected domains being routed to internal services
- Unusual cross-namespace traffic patterns in multi-tenant Kubernetes clusters
Detection Strategies
- Audit all Knative Ingress resources for malformed or suspicious host patterns using kubectl or policy engines
- Implement admission controllers to validate Knative resource configurations before they are applied
- Monitor Traefik configuration changes and alert on router rules containing unexpected logical operators
- Review Traefik access logs for traffic to domains not explicitly configured in your infrastructure
Monitoring Recommendations
- Enable verbose logging in Traefik to capture router rule generation events
- Deploy network policies to restrict cross-namespace traffic and alert on violations
- Use service mesh observability tools to track traffic flow anomalies between services
- Implement continuous configuration auditing for Knative and Traefik resources
How to Mitigate CVE-2026-32695
Immediate Actions Required
- Upgrade Traefik to version 3.6.11 or 3.7.0-ea.2 immediately
- Audit existing Knative Ingress resources for potentially malicious configurations
- Review network policies to ensure proper tenant isolation in multi-tenant clusters
- Monitor for any signs of exploitation using the detection strategies above
Patch Information
Traefik has released security patches addressing this vulnerability. Organizations should upgrade to version 3.6.11 for the stable release line or 3.7.0-ea.2 for the early access track. The patches implement proper input sanitization for values interpolated into router rule expressions, preventing rule syntax injection attacks.
For detailed release information, consult the GitHub Release v3.6.11, GitHub Release v3.7.0-ea.2, and the GitHub Security Advisory GHSA-67jx-r9pv-98rj.
Workarounds
- Implement Kubernetes admission controllers (OPA/Gatekeeper, Kyverno) to validate and reject Knative resources containing special characters in host fields
- Restrict RBAC permissions for creating and modifying Knative Ingress resources to trusted administrators only
- Deploy network policies to enforce strict tenant isolation and limit blast radius if exploitation occurs
- Consider temporarily disabling the Knative provider if not actively required until patches can be applied
# Example: Validate Traefik version after upgrade
kubectl get deployment traefik -n traefik -o jsonpath='{.spec.template.spec.containers[0].image}'
# Expected output should show v3.6.11 or v3.7.0-ea.2
# Audit Knative Ingresses for suspicious patterns
kubectl get kingress --all-namespaces -o yaml | grep -E "hosts:|exact:" | grep -E "[)(\`|]"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
