CVE-2026-22045

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.35 and 3.6.7

Description Traefik, an HTTP reverse proxy and load balancer, has a potential issue in its ACME TLS certificates' automatic generation. The ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, and then stop responding, leading to a denial of service of the entry point. The vulnerability stems from a lack of timeouts and proper connection closing within the ACME TLS-ALPN handling code, specifically in pkg/server/router/tcp/router.go. This allows a client to exhaust server resources by holding open goroutines and file descriptors without a defined limit.

Recommendations Traefik versions prior to 2.11.35 must be updated. Traefik versions prior to 3.6.7 must be updated.