CVE-2026-32305

MEDIUM

Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

Title source: cna

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

References (4)

[X_Refsource_Confirm] https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48

[X_Refsource_Misc] https://github.com/traefik/traefik/releases/tag/v2.11.41

[X_Refsource_Misc] https://github.com/traefik/traefik/releases/tag/v3.6.11

[X_Refsource_Misc] https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 5.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1188 CWE-287

Status published

Products (7)

traefik/traefik 3.7.0 ea1

traefik/traefik < 2.11.41 (2 CPE variants)

traefik/traefik 0Go

traefik/traefik 0 - 2.11.41Go

traefik/traefik 3.7.0-ea.1 - 3.7.0-ea.2Go

traefik/traefik >= 3.0.0-beta1, < 3.6.11

traefik/traefik >= 3.7.0-ea.1, < 3.7.0-ea.2

Published Mar 20, 2026

Tracked Since Mar 20, 2026