Description
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.
Published: 2026-06-23
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik’s SNICheck component fails to apply wildcard matching when resolving TLSOptions for HTTP Host headers, allowing an unauthenticated client to bypass mutual TLS requirements that are enforced on routers using wildcard host rules. The vulnerability permits an attacker to complete a TLS handshake under permissive options and then target a backend protected by a wildcard‑enforced client‑certificate policy, effectively subverting the intended security posture. This flaw falls under CWE‑288, indicating a security misconfiguration that elevates the risk of unauthorized data access or privilege escalation. The CVSS score of 7.8 reflects a high severity impact on confidentiality and integrity for affected services.

Affected Systems

The issue affects Traefik, the HTTP reverse proxy and load balancer, for all releases from version 3.7.0 through 3.7.3 inclusive. Any deployment using a wildcard host rule (e.g., Host(*.example.com)) with stricter TLSOptions such as RequireAndVerifyClientCert is vulnerable unless the software is updated beyond 3.7.3.

Risk and Exploitability

The attacker does not require authentication and can exploit the flaw from any client capable of initiating a TLS handshake on a permissive SNI served by the same entrypoint as the protected router. The exploit path takes advantage of SNICheck’s exact‑match lookup function, which ignores wildcard TLSOptions. As the EPSS score is unavailable, the likelihood of exploitation remains uncertain, but the vulnerability has not been listed in the CISA KEV catalog. Given the high CVSS score and the low complexity of the attack—merely choosing an appropriate SNI and HTTP Host header—the threat level is significant, especially for services exposed to untrusted networks.

Generated by OpenCVE AI on June 24, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 3.7.3 or later to correct SNICheck’s handling of wildcard TLSOptions.
  • Verify that all routers, including those with wildcard host rules, enforce the desired mutual TLS settings by reviewing TLSOptions configuration.
  • If an upgrade cannot be performed immediately, isolate routers that rely on stronger TLSOptions from routers that use permissive TLSOptions by configuring separate entrypoints or firewall rules to prevent domain‑fronting on the same network segment.
  • Consider implementing network segmentation or firewall restrictions to limit client access to the entrypoints hosting vulnerable configurations until a patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5r4w-85f3-pw66 Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
History

Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.
Title Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T19:12:10.819Z

Reserved: 2026-05-21T15:33:08.291Z

Link: CVE-2026-48491

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T00:30:05Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel