Description
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via mutual TLS bypass
Action: Immediate patch
AI Analysis

Impact

Traefik versions 2.11.40 and earlier, 3.0.0‑beta1 through 3.6.11, and 3.7.0‑ea.1 contain a flaw in the SNI pre‑sniffing logic that can be triggered by a fragmented TLS ClientHello. When the hello message is split across multiple records, the SNI extraction fails and the router receives an empty host name. The TCP router then falls back to the default TLS configuration, which does not require client certificates. This flaw allows an attacker to bypass the route‑level mutual TLS enforcement and connect to services that should only be reachable with client authentication, thereby exposing confidential communications and potentially allowing further exploitation. The weakness is rooted in improper input handling (CWE‑1188) combined with insufficient verification of critical security parameters (CWE‑179) and incorrect authentication logic (CWE‑287).

Affected Systems

Traefik, the open‑source HTTP reverse proxy and load balancer, is affected. The problematic versions are 2.11.40 and all earlier releases, 3.0.0‑beta1 through 3.6.11, and the early access release 3.7.0‑ea.1. Users running any of these builds should review their deployment and update to a fixed version.

Risk and Exploitability

The vulnerability is rated high with a CVSS score of 7.8, but the low EPSS score of less than one percent indicates that it is not frequently exploited in the wild. It is not listed in the CISA KEV catalog. The attack can be performed remotely by an adversary who can send a specially crafted fragmented TLS ClientHello to a Traefik instance that has route‑level mTLS enabled. No special privileges are required on the server side, making the threat moderate to high for exposed deployments. Prompt remediation is therefore recommended.

Generated by OpenCVE AI on March 24, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to 2.11.41 or newer
  • Upgrade to 3.6.11 or newer
  • Upgrade to 3.7.0‑ea.2 or newer
  • Verify that the TLS configuration requires client certificates for protected routes after the upgrade
  • Restart Traefik to apply the new configuration

Generated by OpenCVE AI on March 24, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wvvq-wgcr-9q48 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
History

Tue, 24 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-179
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

threat_severity

Important

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Title Traefik mTLS bypass via fragmented ClientHello SNI extraction failure
Weaknesses CWE-1188
CWE-287
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:45:04.503Z

Reserved: 2026-03-11T21:16:21.659Z

Link: CVE-2026-32305

cve-icon Vulnrichment

Updated: 2026-03-20T13:44:59.946Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T11:18:02.360

Modified: 2026-03-24T15:15:55.563

Link: CVE-2026-32305

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T10:01:13Z

Links: CVE-2026-32305 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:37Z

Weaknesses