CVE-2026-29777

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.

CVSS Metrics

• v4.0•MEDIUM•Score: 6.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
• v4.0•MEDIUM•Score: 6.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.02%• Percentile: 5%

Techniques & Countermeasures

• CWE-74•Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Systems

• github.com/traefik•traefik

  ≤ 1.7.34 | all

• github.com/traefik/traefik•v2

  ≤ 2.11.40 | all

• github.com/traefik/traefik•v3

  < 3.6.10

• traefik•traefik

  < 3.6.10

References (4)

• https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj
• https://github.com/traefik/traefik/releases/tag/v3.6.10
• https://nvd.nist.gov/vuln/detail/CVE-2026-29777
• https://github.com/traefik/traefik