Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
Published: 2026-01-15
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Traefik's ACME TLS-ALPN fast path is a resource‑exhaustion vulnerability that allows an unauthenticated client to bind goroutines and file descriptors indefinitely. The attacker can send a minimal ClientHello specifying acme‑tls/1 and then stop responding, causing the entry point to become saturated by long‑lived connections. This leads to a denial‑of‑service of the affected entry point as normal traffic cannot be served. The weakness maps to CWE‑770.

Affected Systems

Affected installations include Traefik deployments running version 2.10.x through 2.11.34 and 3.4.x through 3.6.6. The vulnerability is present in all 2.x and 3.x releases before the updates to 2.11.35 and 3.6.7 respectively. Administrators using the ACME TLS challenge feature on their load balancer entry points are at risk.

Risk and Exploitability

The CVSS base score of 5.9 indicates a moderate severity, and the EPSS probability of fewer than 1% suggests that exploitation is unlikely in the current landscape. The flaw is not listed in CISA's KEV catalog. The attack surface is limited to clients that can initiate TLS handshakes on the entry point, thus the immediate risk is low but the potential for service disruption is real. Updating to the patched releases removes the vulnerability entirely.

Generated by OpenCVE AI on April 18, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Traefik to at least v2.11.35 or v3.6.7
  • If the ACME TLS challenge is not required, disable ACME TLS‑ALPN fast path in the configuration
  • Implement monitoring or rate limiting on entry points to detect abnormal connection spikes

Generated by OpenCVE AI on April 18, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cwjm-3f7h-9hwq Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
History

Fri, 23 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Fri, 16 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 15 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
Title Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T16:29:37.648Z

Reserved: 2026-01-05T22:30:38.720Z

Link: CVE-2026-22045

cve-icon Vulnrichment

Updated: 2026-01-20T16:29:31.728Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T23:15:51.593

Modified: 2026-01-23T19:29:05.890

Link: CVE-2026-22045

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-15T22:44:05Z

Links: CVE-2026-22045 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses