CVE-2026-32695: Ingress Rule Injection and Host Restriction Bypass in Traefik

Traefik serves as a widely deployed HTTP reverse proxy and load balancer in cloud-native environments. The software relies on a dynamic rule engine to route incoming traffic to appropriate backend services. This routing configuration is frequently automatically generated by provider modules that translate external state, such as Kubernetes Ingress resources, into Traefik's internal Domain-Specific Language (DSL).

CVE-2026-32695 identifies an injection vulnerability within the Kubernetes providers for Traefik, specifically the Knative, Ingress, and Ingress-NGINX modules. These providers improperly construct routing rules by interpolating user-controlled values without adequate escaping. This flaw allows authenticated users with resource creation privileges to inject arbitrary logic into the generated routing expressions.

The vulnerability is classified as CWE-74, representing an improper neutralization of special elements in output used by a downstream component. An attacker exploiting this flaw can manipulate the routing logic to bypass host-based restrictions. This results in the exposure of cross-tenant traffic in multi-tenant cluster configurations.

The issue affects Traefik versions prior to 3.6.11 and the 3.7.0 early access track prior to 3.7.0-ea.2. The security impact is scoped primarily to the subsequent confidentiality of other tenants' traffic. The vulnerability carries a CVSS 4.0 base score of 6.3, reflecting the requirement for existing cluster privileges and the specific network configuration.

The root cause of CVE-2026-32695 lies in the string interpolation methodology used by Traefik's Kubernetes provider implementations. Traefik's rule engine evaluates routing expressions defined in a custom DSL. Within this DSL, string literals are typically enclosed in backtick characters to denote raw strings.

The vulnerable Kubernetes providers build these routing expressions dynamically based on values extracted from Kubernetes API resources. The code utilized the fmt.Sprintf function with the %v or %s format verbs to embed user-controlled hostnames directly into the backtick-delimited strings. The application performed no sanitization or escaping of the input values prior to this interpolation.

Because the input was not escaped, a user could supply a string containing a backtick character to prematurely terminate the string literal within the generated DSL expression. Once the string is terminated, the parser interprets the subsequent characters as executable DSL syntax rather than literal string data. This creates a classic injection vector where data boundaries are conflated with code boundaries.

The lack of input validation at the provider level meant that Traefik implicitly trusted the data structure of the Kubernetes Ingress resource. The vulnerability occurs strictly during the translation phase between the Kubernetes API state and Traefik's internal configuration state. The routing engine itself processes the injected rule verbatim, completely unaware that the logic originated from an untrusted source.

An examination of the vulnerable code path reveals the direct interpolation of unvalidated input into the routing expressions. In the Knative and Ingress providers, the Host rule was constructed using simple string formatting. The application appended the generated string to the hostRules collection for subsequent evaluation by the rule engine.

The following code snippet demonstrates the vulnerable implementation in the Knative provider. The host variable, derived directly from the Kubernetes resource definition, is injected into the backtick-enclosed string using the %v format verb.

// Vulnerable implementation in pkg/provider/kubernetes/knative/kubernetes.go
hostRules = append(hostRules, fmt.Sprintf("Host(`%v`)", host))

The remediation for this vulnerability, introduced in commit 11d251415a6fd935025df5a9dda898e17e3097b2, replaces the insecure string interpolation with safe quoting. The patch substitutes the %v and %s format verbs with %q. In Go's fmt package, the %q verb securely formats the input as a double-quoted string, automatically escaping any internal quotes or special characters using strconv.Quote.

The patch effectively neutralizes the injection vector by ensuring that the user input remains strictly bounded as a string literal during DSL evaluation. This fix is comprehensive for the identified vulnerable paths within the Kubernetes providers. The following diff illustrates the exact changes made to both the Knative and Ingress providers to enforce secure string boundaries.

// pkg/provider/kubernetes/knative/kubernetes.go
- hostRules = append(hostRules, fmt.Sprintf("Host(`%v`)", host))
+ hostRules = append(hostRules, fmt.Sprintf("Host(%q)", host))
 
// pkg/provider/kubernetes/ingress/kubernetes.go
- return fmt.Sprintf("Host(`%s`)", host)
+ return fmt.Sprintf("Host(%q)", host)

Exploitation of CVE-2026-32695 requires the attacker to possess authorization to create or modify Ingress or Knative resources within the target Kubernetes cluster. This prerequisite establishes the attack vector as an authenticated, internal threat model. The attacker uses standard Kubernetes API interaction tools, such as kubectl, to deploy the malicious configuration.

The attack methodology centers on crafting a malicious host value within the Ingress resource definition. The attacker engineers a string that begins with a legitimate hostname, closes the backtick delimiter, appends a logical operator, and introduces a new routing directive. For example, the attacker might supply the value `legit-tenant.example.com`) || Host(`attacker-controlled.com`.

When the Traefik provider processes this malicious resource, the string formatting function generates the combined DSL expression: Host(`legit-tenant.example.com`) || Host(`attacker-controlled.com`). The Traefik routing engine subsequently evaluates this entire expression as a valid configuration. The resulting internal rule instructs the proxy to direct traffic for both the legitimate tenant and the attacker-controlled domain to the attacker's designated backend service.

This mechanism allows the attacker to unilaterally expand the scope of their routing rules. By injecting the || (OR) operator alongside additional Host directives, the attacker forces the proxy to process traffic intended for administrative endpoints or isolated tenants.

The primary impact of this vulnerability is the breakdown of logical isolation in multi-tenant environments. Traefik is frequently deployed as the central ingress controller for shared clusters, relying on strict host-based routing to segregate tenant traffic. The injection flaw allows a malicious tenant to subvert this routing logic entirely.

By injecting arbitrary host rules, an attacker can coerce the Traefik proxy into routing traffic intended for other tenants to the attacker's backend pods. This enables the interception of sensitive requests, potentially leading to the disclosure of authentication tokens, session cookies, or proprietary data. The integrity of the application traffic remains unaffected, but the confidentiality is severely compromised.

Furthermore, the attacker can leverage this vulnerability to bypass administrative host restrictions. If certain administrative interfaces or internal services are protected by routing rules that restrict access to specific hostnames, the attacker can append their own hostname to the rule evaluation. This provides unauthorized access to endpoints that were previously shielded by the ingress controller's configuration.

The CVSS 4.0 assessment of 6.3 reflects the specific operational constraints of the vulnerability. While the subsequent confidentiality impact is high, the attack requires prior authorization to manipulate cluster state. The vulnerability does not permit remote code execution on the Traefik host or direct access to the underlying operating system.

The definitive remediation for CVE-2026-32695 is upgrading the Traefik deployment to a patched version. Users operating on the 3.6 release branch must upgrade to version 3.6.11 or later. Users evaluating the 3.7 early access track must upgrade to version 3.7.0-ea.2 or later to ensure the secure quoting mechanisms are in place.

Organizations unable to immediately deploy the patched versions must implement compensating controls at the Kubernetes API level. The most effective mitigation strategy involves deploying a Validating Admission Controller, such as OPA Gatekeeper or Kyverno. Administrators should configure rules that explicitly reject any Ingress or Knative resource containing backticks or unexpected special characters within the host or header fields.

Additionally, cluster administrators must audit and restrict Role-Based Access Control (RBAC) permissions. Only highly trusted users and service accounts should possess the authorization to create or modify ingress configurations in multi-tenant clusters. Reducing the attack surface by limiting resource modification privileges minimizes the risk of successful exploitation by a malicious insider or compromised tenant account.

Following the application of the patch, administrators should review existing Traefik routing configurations and Kubernetes Ingress resources for signs of anomalous or injected host definitions. Any unexpected logical operators or multiple host declarations within a single rule context should be treated as an indicator of compromise and investigated accordingly.