CVE-2026-29777
published 2026-03-11CVE-2026-29777: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.28%
19.4th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik | 0 – 1.7.34 | — |
| github.com | traefik_traefik_v2 | 0 – 2.11.40 | — |
| github.com | traefik_traefik_v3 | >= 0 < 3.6.10 | 3.6.10 |
| traefik | traefik | < 3.6.10 | 3.6.10 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv4.06.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Traefik up to 3.6.9 Query Parameter injection (GHSA-8q2w-wr49-whqj / Nessus ID 318669)
vuldb·2026-06-05·CVSS 6.1
CVE-2026-29777 [MEDIUM] Traefik up to 3.6.9 Query Parameter injection (GHSA-8q2w-wr49-whqj / Nessus ID 318669)
A vulnerability classified as problematic was found in Traefik up to 3.6.9. The impacted element is an unknown function of the component Query Parameter Handler. Executing a manipulation can lead to injection.
The identification of this vulnerability is CVE-2026-29777. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is advised.
OSV
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values in github.com/traefik/traefik
osv·2026-03-12
CVE-2026-29777 Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values in github.com/traefik/traefik
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values in github.com/traefik/traefik
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values in github.com/traefik/traefik
OSV
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
osv·2026-03-11
CVE-2026-29777 [MEDIUM] Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
## Summary
There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection.
A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends.
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.10
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Description
hey T
GHSA
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
ghsa·2026-03-11
CVE-2026-29777 [MEDIUM] CWE-74 Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
## Summary
There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection.
A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends.
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.10
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Description
hey T
Red Hat
github.com/traefik/traefik: Traefik: Traffic redirection and hostname bypass via unsanitized input in router rules
vendor_redhat·2026-03-11·CVSS 6.1
CVE-2026-29777 [MEDIUM] CWE-94 github.com/traefik/traefik: Traefik: Traffic redirection and hostname bypass via unsanitized input in router rules
github.com/traefik/traefik: Traefik: Traffic redirection and hostname bypass via unsanitized input in router rules
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.
A flaw was found in Traefik. A tenant with write access to an HTTPRoute resource can exploit this vulnerability by injecting specially crafted rule tokens into Traefik's router rule language through unsanitized header or query parameter
No detection rules found.
No public exploits indexed.
2026-03-11
Published