Description
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.
Published: 2026-06-23
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik’s SNICheck validation mishandles wildcard matching of TLSOptions when resolving the TLS options for HTTP Host headers. An attacker can exploit this flaw by completing a TLS handshake with a permissive SNI on the same entrypoint, then sending an HTTP Host header that targets a backend protected by a wildcard‑enforced client‑certificate policy (e.g., Host(*.example.com) with RequireAndVerifyClientCert). The attacker can therefore bypass mutual TLS enforcement and access the protected backend without presenting a client certificate. This is a high‑severity misconfiguration that impacts confidentiality and integrity of resources protected by stricter TLSOptions. The flaw is tracked by CWE-288 and CWE-807 and has been fixed in Traefik version 3.7.3.

Affected Systems

The issue affects Traefik, the HTTP reverse proxy and load balancer, for all releases from version 3.7.0 through 3.7.3 inclusive. Any deployment using a wildcard host rule (e.g., Host(*.example.com)) with stricter TLSOptions such as RequireAndVerifyClientCert is vulnerable unless the software is updated beyond 3.7.3.

Risk and Exploitability

The attacker does not require authentication and can exploit the flaw from any client capable of initiating a TLS handshake on a permissive SNI served by the same entrypoint as the protected router. The exploit path takes advantage of SNICheck’s exact‑match lookup function, which ignores wildcard TLSOptions. As the EPSS score is unavailable, the likelihood of exploitation remains uncertain, but the vulnerability has not been listed in the CISA KEV catalog. Given the CVSS score of 7.8 and the low complexity of the attack—merely choosing an appropriate SNI and HTTP Host header—the threat level is significant, especially for services exposed to untrusted networks.

Generated by OpenCVE AI on June 24, 2026 at 13:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 3.7.3 or later to correct SNICheck’s handling of wildcard TLSOptions.
  • Verify that all routers, including those with wildcard host rules, enforce the desired mutual TLS settings by reviewing TLSOptions configuration.
  • If an upgrade cannot be performed immediately, isolate routers that rely on stronger TLSOptions from routers that use permissive TLSOptions by configuring separate entrypoints or firewall rules to prevent domain‑fronting on the same network segment.
  • Consider implementing network segmentation or firewall restrictions to limit client access to the entrypoints hosting vulnerable configurations until a patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5r4w-85f3-pw66 Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
History

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.
Title Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:09:58.744Z

Reserved: 2026-05-21T15:33:08.291Z

Link: CVE-2026-48491

cve-icon Vulnrichment

Updated: 2026-06-30T03:20:59.654Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T19:12:10Z

Links: CVE-2026-48491 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:45:16Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel

  • CWE-807

    Reliance on Untrusted Inputs in a Security Decision