CVE-2026-29777
6.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Summary
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| traefik | traefik | < 3.6.10 | affected |
Weaknesses
- CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj
- https://github.com/traefik/traefik/releases/tag/v3.6.10
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.