CVE-2026-32695
Published: 27 March 2026
Summary
CVE-2026-32695 is a high-severity Injection (CWE-74) vulnerability in Traefik Traefik. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the injection vulnerability (CWE-74) by requiring validation and sanitization of user-controlled values interpolated into Traefik's Knative router rule expressions, preventing host restriction bypass and rule-syntax injection.
Addresses the specific flaw in Traefik's Knative provider by requiring timely identification, testing, and installation of patches like versions 3.6.11 and 3.7.0-ea.2 to remediate unsafe interpolation.
Ensures the HTTP reverse proxy enforces boundary protections to monitor and control communications, preventing unauthorized cross-tenant traffic routing and exposure exploited via the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an injection vulnerability (CWE-74) in the public-facing Traefik reverse proxy's Knative provider that allows direct rule/host bypass and unauthorized cross-tenant routing; this maps directly to exploitation of a public-facing application.
NVD Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for…
more
host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue.
Deeper analysisAI
CVE-2026-32695 affects Traefik, an HTTP reverse proxy and load balancer, specifically its Knative provider in versions prior to 3.6.11 and 3.7.0-ea.2. The vulnerability arises from the provider building router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. This enables exploitation in Knative `rules[].hosts[]` for host restriction bypass and in `headers[].exact` for rule-syntax injection, classified as CWE-74 with a CVSS score of 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
In multi-tenant clusters, an attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction. For instance, they can inject a rule like `tenant.example.com || Host(`attacker.com`)`, causing the router to serve attacker-controlled hosts instead of enforcing restrictions. This also allows unsafe rule construction via headers, routing unauthorized traffic to victim services and enabling cross-tenant traffic exposure with high confidentiality impact.
Traefik's security advisory (GHSA-67jx-r9pv-98rj) and release notes for versions 3.6.11 and 3.7.0-ea.2 confirm that the patches address the issue by fixing the unsafe interpolation in rule expressions. Practitioners should upgrade affected Traefik deployments to these versions or later to mitigate the vulnerability.
Details
- CWE(s)