Traefik mTLS bypass via fragmented ClientHello SNI extraction failure
Summary
| CVE | CVE-2026-32305 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-20 11:18:02 UTC |
| Updated | 2026-06-30 03:18:32 UTC |
| Description | Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2. |
Risk And Classification
Primary CVSS: v4.0 7.8 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.004050000 probability, percentile 0.324060000 (date 2026-07-02)
Problem Types: CWE-287 | CWE-1188 | CWE-179 | CWE-287 CWE-287: Improper Authentication | CWE-1188 CWE-1188: Insecure Default Initialization of Resource | CWE-179 Incorrect Behavior Order: Early Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 7.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | ADP | CVSS | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Traefik | Traefik | affected < 2.11.41 | Not specified |
| CNA | Traefik | Traefik | affected >= 3.0.0-beta1, < 3.6.11 | Not specified |
| CNA | Traefik | Traefik | affected >= 3.7.0-ea.1, < 3.7.0-ea.2 | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.27 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift GitOps | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/traefik/traefik/releases/tag/v2.11.41 | [email protected] | github.com | Release Notes |
| access.redhat.com/security/cve/CVE-2026-32305 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/traefik/traefik/releases/tag/v3.6.11 | [email protected] | github.com | Release Notes |
| github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48 | [email protected] | github.com | Patch, Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10175 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32305.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/traefik/traefik/releases/tag/v3.7.0-ea.2 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:21772 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-20T11:02:42.394Z | Reported to Red Hat. |
| ADP | 2026-03-20T10:01:13.620Z | Made public. |
Solutions
ADP: RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27
ADP: RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28
Workarounds
ADP: To mitigate unauthorized access, restrict network access to the Traefik instance to only trusted clients and networks. Implement firewall rules to limit inbound connections to the ports Traefik listens on for mTLS-protected services. For example, using `firewalld`, specific source IP addresses or networks can be allowed. After applying firewall rules, ensure the firewall service is reloaded for changes to take effect. This reduces the attack surface by preventing untrusted external access to the Traefik instance.