CVE-2026-32305

Name of the Vulnerable Software and Affected Versions Traefik versions 2.11.40 and below Traefik versions 3.0.0-beta1 through 3.6.11 Traefik version 3.7.0-ea.1

Description Traefik, an HTTP reverse proxy and load balancer, is susceptible to a mutual TLS (mTLS) bypass. This occurs due to a flaw in the TLS SNI pre-sniffing logic when handling fragmented ClientHello packets. When a TLS ClientHello is fragmented, Traefik's SNI extraction can fail, causing it to revert to a default TLS configuration that does not require client certificates. This allows an attacker to circumvent route-level mTLS enforcement and access services intended to be protected by mutual TLS authentication. The issue arises from a mismatch between when Traefik determines the TLS policy per host and when Go TLS parses the complete ClientHello. Specifically, the pre-sniff logic only peeks at a limited portion of the fragmented ClientHello, potentially missing the SNI and defaulting to a permissive configuration.

Recommendations Traefik versions prior to 2.11.41 are vulnerable. Traefik versions 3.0.0-beta1 through 3.6.11 are vulnerable. Traefik version 3.7.0-ea.1 is vulnerable.