CVE-2026-32305

EPSS 0.02%
Veröffentlicht 20.03.2026 10:01:13
Zuletzt bearbeitet 20.03.2026 13:37:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellertraefik

≫

Produkt traefik

Version < 2.11.41

Status affected

Version >= 3.0.0-beta1, < 3.6.11

Status affected

Version >= 3.7.0-ea.1, < 3.7.0-ea.2

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.041

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48

https://github.com/traefik/traefik/releases/tag/v2.11.41

https://github.com/traefik/traefik/releases/tag/v3.6.11

https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2

https://nvd.nist.gov/vuln/detail/CVE-2026-32305

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32305

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32305

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32305