Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3.
Published: 2026-06-23
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik’s HTTP/3 implementation performs an exact, case‑sensitive lookup of the client‑supplied SNI against configured TLSOptions. The lookup fails for wildcard host patterns or for case variants of the configured hostname, causing the TLS handshake to fall back to the default configuration that does not require client certificates. The HTTP routing layer, however, still enforces the router‑specific mTLS policy, allowing an unauthenticated client to reach a backend that was intended to require mutual authentication.

Affected Systems

The flaw affects all Traefik deployments using the open‑source reverse proxy prior to version 3.7.3 when HTTP/3 is enabled on an entrypoint, a router uses a wildcard host rule or case‑insensitive hostname matching, and a router‑specific TLSOptions enforces client‑certificate authentication. Updating to Traefik 3.7.3 or newer removes the vulnerability.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. EPSS is not available, so the current estimated exploitation probability is unknown but potentially low. KEV is not listed, meaning no documented widespread exploitation. An attacker who can reach the UDP port that handles the HTTP/3 entrypoint can complete the QUIC handshake without presenting a certificate and subsequently be routed to a backend protected by an mTLS policy, effectively bypassing authentication. The impact is unauthorized access to services that depend on client‑certificate validation.

Generated by OpenCVE AI on June 23, 2026 at 23:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 3.7.3 or later, where the HTTP/3 TLS configuration selection bug is fixed.
  • If an upgrade is not immediately feasible, disable HTTP/3 on all entrypoints that use lazy SNI selection by setting the HTTP/3 option to false.
  • Alternatively, reconfigure routers to avoid wildcard or case‑insensitive host rules when TLSOptions enforce client‑certificate authentication, or explicitly map the SNI to a TLSOptions that requires client certificates.
  • Verify that UDP traffic to the affected entrypoint is restricted in your network perimeter to limit potential attackers.

Generated by OpenCVE AI on June 23, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9cr8-q42q-g8m7 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
History

Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3.
Title Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T19:13:28.844Z

Reserved: 2026-06-09T20:16:59.646Z

Link: CVE-2026-53622

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T00:00:09Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel