{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29777", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.898Z", "datePublished": "2026-03-11T15:54:17.219Z", "dateUpdated": "2026-03-11T17:22:36.189Z"}, "containers": {"cna": {"title": "Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.10"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 3.6.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T15:54:17.219Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10."}], "source": {"advisory": "GHSA-8q2w-wr49-whqj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T17:22:01.786277Z", "id": "CVE-2026-29777", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:22:36.189Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29777", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T17:22:01.786277Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:22:25.497Z"}}], "cna": {"title": "Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values", "source": {"advisory": "GHSA-8q2w-wr49-whqj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 3.6.10"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.10", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T15:54:17.219Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29777", "state": "PUBLISHED", "dateUpdated": "2026-03-11T17:22:36.189Z", "dateReserved": "2026-03-04T16:26:02.898Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T15:54:17.219Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB29FD08-5911-4CF4-8D33-67A6A47C661E", "versionEndExcluding": "3.6.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Antes de la versi\u00f3n 3.6.10, un inquilino con acceso de escritura a un recurso HTTPRoute puede inyectar tokens de reglas delimitados por comillas invertidas en el lenguaje de reglas del router de Traefik a trav\u00e9s de valores de coincidencia de encabezado o par\u00e1metro de consulta no saneados. En implementaciones de pasarela compartida, esto puede eludir las restricciones de nombre de host del oyente y redirigir el tr\u00e1fico para nombres de host de v\u00edctimas a backends controlados por el atacante. Esta vulnerabilidad se corrige en la versi\u00f3n 3.6.10."}], "id": "CVE-2026-29777", "lastModified": "2026-03-19T20:26:04.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T16:16:40.830", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.10"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/traefik/traefik: Traefik: Traffic redirection and hostname bypass via unsanitized input in router rules", "id": "2446584", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446584"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-94", "details": ["A flaw was found in Traefik. A tenant with write access to an HTTPRoute resource can exploit this vulnerability by injecting specially crafted rule tokens into Traefik's router rule language through unsanitized header or query parameter match values. This allows the attacker to bypass listener hostname constraints in shared gateway deployments, leading to the redirection of traffic intended for legitimate hostnames to attacker-controlled backends."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-29777", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-11T15:54:17Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29777\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29777\nhttps://github.com/traefik/traefik/releases/tag/v3.6.10\nhttps://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-03-19T21:27:22.093864+00:00", "value": {"mitigation_remediation": ["Upgrade Traefik to version 3.6.10 or later, which removes the vulnerability.", "Restrict Kubernetes RBAC permissions so that only trusted users can write HTTPRoute resources in shared gateway deployments.", "Review existing HTTPRoute configurations for unexpected backtick usage and adjust or remove them as needed.", "Monitor network traffic for unexpected redirects to attacker-controlled endpoints."], "summary": {"action": "Patch Now", "impact": "Traffic Redirection"}, "threat_synthesis": {"affected_systems": "Affected systems are deployments of the Traefik component (cpe:2.3:a:traefik:traefik) running any version prior to 3.6.10. The vulnerability is relevant in shared gateway scenarios where tenants can modify HTTPRoute definitions. It does not affect standalone servicing of the router that is not exposed to write permissions on these resources.", "description_and_impact": "Traefik, an HTTP reverse proxy and load balancer, contains a vulnerability that allows an attacker with write access to an HTTPRoute resource to inject unescaped backticks into match values. This unsanitized input is processed by Traefik's router rule language, enabling the attacker to form arbitrary rule tokens. The result is an ability to bypass the listener hostname validation and redirect traffic destined for legitimate hostnames to attacker-controlled backends. The weakness is represented by CWE\u201174 and CWE\u201194.", "risk_and_exploitability": "The CVSS score for this issue is 6.1, classified as Medium severity, while the EPSS score is less than 1\u202f%, indicating a low probability of exploitation. It is not listed in CISA\u2019s KEV catalog. The attack vector requires possession of Kubernetes permissions to create or modify HTTPRoute objects. An attacker can then inject backtick\u2011delimited tokens that cause Traefik to interpret them as rules, redirecting traffic to arbitrary destinations."}}}}, "created": "2026-03-12T10:05:35.356626+00:00", "updated": "2026-03-20T15:30:51.206779+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}