CVE-2026-32305

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/traefik/traefik/releases/tag/v2.11.41	Release Notes
https://github.com/traefik/traefik/releases/tag/v3.6.11	Release Notes
https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2	Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik:3.7.0:ea1::::::

History

24 Mar 2026, 15:15

Type	Values Removed	Values Added
CPE		cpe:2.3:a:traefik:traefik:::::::: cpe:2.3:a:traefik:traefik:3.7.0:ea1::::::
First Time		Traefik Traefik traefik
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
Summary		(es) Traefik es un proxy inverso HTTP y balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 son vulnerables a un bypass de mTLS a través de la lógica de pre-sniffing de SNI de TLS relacionada con paquetes ClientHello fragmentados. Cuando un ClientHello de TLS se fragmenta en múltiples registros, la extracción de SNI de Traefik puede fallar con un EOF y devolver un SNI vacío. El router TCP entonces recurre a la configuración TLS predeterminada, que no requiere certificados de cliente por defecto. Esto permite a un atacante saltarse la aplicación de mTLS a nivel de ruta y acceder a servicios que deberían requerir autenticación TLS mutua. Este problema está parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2.
References	~~() https://github.com/traefik/traefik/releases/tag/v2.11.41 -~~	() https://github.com/traefik/traefik/releases/tag/v2.11.41 - Release Notes
References	~~() https://github.com/traefik/traefik/releases/tag/v3.6.11 -~~	() https://github.com/traefik/traefik/releases/tag/v3.6.11 - Release Notes
References	~~() https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2 -~~	() https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2 - Release Notes
References	~~() https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48 -~~	() https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48 - Patch, Vendor Advisory

20 Mar 2026, 11:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 11:18

Updated : 2026-03-24 15:15

NVD link : CVE-2026-32305

Mitre link : CVE-2026-32305

CVE.ORG link : CVE-2026-32305

JSON object : View

Products Affected

traefik

traefik

CWE

CWE-287

Improper Authentication

CWE-1188

Insecure Default Initialization of Resource

5.3 /10