Skip to main content

Traefik EUVDEUVD-2026-13663

| CVE-2026-32305 HIGH
Improper Authentication (CWE-287)
2026-03-20 GitHub_M GHSA-wvvq-wgcr-9q48
7.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Jun 30, 2026 - 03:24 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
5.3 (MEDIUM) 7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 11:00 euvd
EUVD-2026-13663
Analysis Generated
Mar 20, 2026 - 11:00 vuln.today
CVE Published
Mar 20, 2026 - 10:01 nvd
MEDIUM 5.3

DescriptionCVE.org

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

AnalysisAI

Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to circumvent mutual TLS certificate requirements by sending fragmented TLS ClientHello packets. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.10, and 3.7.0-ea.1. When ClientHello messages are fragmented across multiple TLS records, SNI extraction fails with an EOF error, causing the TCP router to fall back to default TLS configuration without client certificate validation, enabling unauthorized access to services that should require mTLS authentication.

Technical ContextAI

This vulnerability affects cpe:2.3:a:traefik:traefik and stems from CWE-287 (Improper Authentication) in Traefik's TLS Server Name Indication (SNI) pre-sniffing logic. The issue occurs during the TLS handshake when parsing ClientHello messages that are split across multiple TLS records. Traefik's SNI extraction mechanism fails to properly handle fragmented ClientHello packets, encountering an end-of-file condition and returning an empty SNI value. This failure triggers a fallback mechanism in the TCP router that uses the default TLS configuration, which by design does not enforce client certificate requirements. The vulnerability enables attackers to bypass route-specific mTLS policies that would normally mandate mutual authentication between client and server, undermining the security boundary intended by certificate-based authentication controls.

RemediationAI

Immediately upgrade to Traefik version 2.11.41, 3.6.11, or 3.7.0-ea.2 depending on your current version branch, as documented in the release announcements at https://github.com/traefik/traefik/releases/tag/v2.11.41, https://github.com/traefik/traefik/releases/tag/v3.6.11, and https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2. Until patching is completed, implement network-level access controls to restrict connections to Traefik instances only from trusted sources, and consider deploying an upstream TLS termination proxy that enforces client certificate validation before traffic reaches Traefik. Review logs for any suspicious connection patterns involving TLS handshake failures or unexpected access to mTLS-protected services. Consult the comprehensive security advisory at https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48 for additional context and mitigation strategies.

CVE-2023-47633 HIGH POC
7.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is re

CVE-2019-12452 HIGH POC
7.5 May 29

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable

CVE-2023-47106 MEDIUM POC
6.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2022-23469 MEDIUM POC
6.5 Dec 08

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2025-32431 HIGH
8.8 Apr 21

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-54365 HIGH
8.7 Jun 23

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inheri

CVE-2020-15129 MEDIUM POC
4.7 Jul 30

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik

CVE-2021-32813 HIGH
8.1 Aug 03

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely explo

CVE-2026-54763 HIGH
7.8 Jul 06

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker

CVE-2026-26999 HIGH
7.5 Mar 05

Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS re

CVE-2026-25949 HIGH
7.5 Feb 12

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resou

CVE-2026-29054 HIGH
7.5 Mar 05

Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that all

Vendor StatusVendor

Debian

Bug #983289
traefik
Release Status Fixed Version Urgency
open - -

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-13663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy