CVE-2026-29777 — Injection in Traefik

CWE-74 — Injection CWE-94 — Code Injection7 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 97.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traefik Github.com Traefik Traefik V3 Github.com Traefik Traefik +1 more

Timeline

PublishedMar 11

Latest updateMar 12

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5traefik/traefik< 3.6.10

▶NVDtraefik/traefik< 3.6.10

▶Gogithub.com/traefik_traefik_v3< 3.6.10

▶Gogithub.com/traefik_traefik1.7.34

▶Gogithub.com/traefik_traefik_v22.11.40

🔴Vulnerability Details

OSV

Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values in github.com/traefik/traefik↗2026-03-12

▶

OSV

Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values↗2026-03-11

▶

GHSA

Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values↗2026-03-11

▶

CVEList

Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values↗2026-03-11

▶

📋Vendor Advisories

Red Hat

github.com/traefik/traefik: Traefik: Traffic redirection and hostname bypass via unsanitized input in router rules↗2026-03-11

▶

🕵️Threat Intelligence

Wiz

CVE-2026-29777 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶