Bug 2446584 (CVE-2026-29777)

Summary:	CVE-2026-29777 github.com/traefik/traefik: Traefik: Traffic redirection and hostname bypass via unsanitized input in router rules
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	sdawley
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in Traefik. A tenant with write access to an HTTPRoute resource can exploit this vulnerability by injecting specially crafted rule tokens into Traefik's router rule language through unsanitized header or query parameter match values. This allows the attacker to bypass listener hostname constraints in shared gateway deployments, leading to the redirection of traffic intended for legitimate hostnames to attacker-controlled backends.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-11 17:02:26 UTC

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.