Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.
Published: 2026-02-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An attacker who can establish an unauthenticated TCP connection to a Traefik entrypoint may send a PostgreSQL STARTTLS prelude and then stop responding. Traefik’s readTimeout configured on that entrypoint is bypassed, so the connection stays open indefinitely, consuming server resources until the system is overwhelmed or services become unavailable.

Affected Systems

Traefik instances running any version prior to 3.6.8 on any supported platform are vulnerable. The issue resides in the handling of STARTTLS requests in the TCP proxy layer.

Risk and Exploitability

The CVSS score of 7.5 indicates a high denial‑of‑service risk. The EPSS score is under 1%, suggesting exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. An attacker only needs network access to the affected TCP port and can exploit the flaw with a simple STARTTLS packet, without authentication or privileged credentials. The weakness involves uncontrolled resource consumption (CWE‑400) and potential memory allocation over‑commitment (CWE‑770).

Generated by OpenCVE AI on April 17, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 3.6.8 or later.
  • If upgrading is not immediately possible, block or restrict access to the TCP entrypoint for PostgreSQL clients, for example by firewall rules or by controlling ingress traffic.
  • Deploy additional connection‑limit or idle‑timeout controls on downstream services to mitigate the impact if a stale connection persists.

Generated by OpenCVE AI on April 17, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-89p3-4642-cr2w Traefik: TCP readTimeout bypass via STARTTLS on Postgres
History

Fri, 20 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Fri, 13 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.
Title Traefik: TCP readTimeout bypass via STARTTLS on Postgres
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:16:17.659Z

Reserved: 2026-02-09T17:13:54.065Z

Link: CVE-2026-25949

cve-icon Vulnrichment

Updated: 2026-02-12T21:15:53.389Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T20:16:11.227

Modified: 2026-02-20T18:44:41.160

Link: CVE-2026-25949

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-12T20:01:19Z

Links: CVE-2026-25949 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses