{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32305", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T21:16:21.659Z", "datePublished": "2026-03-20T10:01:13.620Z", "dateUpdated": "2026-03-20T13:45:04.503Z"}, "containers": {"cna": {"title": "Traefik mTLS bypass via fragmented ClientHello SNI extraction failure", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1188", "lang": "en", "description": "CWE-1188: Insecure Default Initialization of Resource", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.41", "status": "affected"}, {"version": ">= 3.0.0-beta1, < 3.6.11", "status": "affected"}, {"version": ">= 3.7.0-ea.1, < 3.7.0-ea.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:01:13.620Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}], "source": {"advisory": "GHSA-wvvq-wgcr-9q48", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:44:56.647317Z", "id": "CVE-2026-32305", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:45:04.503Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T13:44:56.647317Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:44:59.946Z"}}], "cna": {"title": "Traefik mTLS bypass via fragmented ClientHello SNI extraction failure", "source": {"advisory": "GHSA-wvvq-wgcr-9q48", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.41"}, {"status": "affected", "version": ">= 3.0.0-beta1, < 3.6.11"}, {"status": "affected", "version": ">= 3.7.0-ea.1, < 3.7.0-ea.2"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188: Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:01:13.620Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32305", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:45:04.503Z", "dateReserved": "2026-03-11T21:16:21.659Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:01:13.620Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "440A1D58-1FFD-408A-A6B0-25E23F5C24AF", "versionEndExcluding": "2.11.41", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "90620FAD-4F72-465E-A744-D62559C92F18", "versionEndIncluding": "3.6.11", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*", "matchCriteriaId": "7881B288-5141-4508-AB71-3F7586168437", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 son vulnerables a un bypass de mTLS a trav\u00e9s de la l\u00f3gica de pre-sniffing de SNI de TLS relacionada con paquetes ClientHello fragmentados. Cuando un ClientHello de TLS se fragmenta en m\u00faltiples registros, la extracci\u00f3n de SNI de Traefik puede fallar con un EOF y devolver un SNI vac\u00edo. El router TCP entonces recurre a la configuraci\u00f3n TLS predeterminada, que no requiere certificados de cliente por defecto. Esto permite a un atacante saltarse la aplicaci\u00f3n de mTLS a nivel de ruta y acceder a servicios que deber\u00edan requerir autenticaci\u00f3n TLS mutua. Este problema est\u00e1 parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2."}], "id": "CVE-2026-32305", "lastModified": "2026-03-24T15:15:55.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T11:18:02.360", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-1188"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Traefik: github.com/traefik/traefik: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello.", "id": "2449595", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449595"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-179", "details": ["A flaw was found in Traefik, an HTTP reverse proxy and load balancer. A remote attacker can exploit this vulnerability by sending fragmented ClientHello packets during the Transport Layer Security (TLS) handshake. This causes Traefik's Server Name Indication (SNI) extraction to fail, leading to a fallback to a default TLS configuration that does not require client certificates. This allows an attacker to bypass mutual TLS (mTLS) authentication, gaining unauthorized access to services that should be protected by client certificate requirements."], "mitigation": {"lang": "en:us", "value": "To mitigate unauthorized access, restrict network access to the Traefik instance to only trusted clients and networks. Implement firewall rules to limit inbound connections to the ports Traefik listens on for mTLS-protected services. For example, using `firewalld`, specific source IP addresses or networks can be allowed. After applying firewall rules, ensure the firewall service is reloaded for changes to take effect. This reduces the attack surface by preventing untrusted external access to the Traefik instance."}, "name": "CVE-2026-32305", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2026-03-20T10:01:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32305\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32305\nhttps://github.com/traefik/traefik/releases/tag/v2.11.41\nhttps://github.com/traefik/traefik/releases/tag/v3.6.11\nhttps://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\nhttps://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.41)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-beta1,3.6.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.7.0-ea.1,3.7.0-ea.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-03-20T11:50:54.471358+00:00", "value": {"mitigation_remediation": ["Update Traefik to version 2.11.41 or later (including versions 3.6.11, 3.7.0-ea.2, or newer releases) which contain the SNI extraction fix."], "summary": {"action": "Patch", "impact": "mTLS Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Traefik versions 2.11.40 and earlier, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1. A fix was released for versions 2.11.41, 3.6.11, and 3.7.0-ea.2, or any later release.", "description_and_impact": "Traefik\u2019s TLS SNI pre\u2011sniffing logic fails to extract the server name when a ClientHello is fragmented across multiple records, resulting in an empty SNI value. The TCP router therefore falls back to the default TLS configuration, which does not force client\u2011certificate validation. This flaw allows an attacker to establish a TLS connection to services that are protected by mutual TLS, effectively bypassing route\u2011level mTLS enforcement and enabling unauthorized access to protected services. The vulnerability is associated with authentication bypass (CWE-287) and improper handling of TLS SNI data (CWE-1188).", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity, meaning successful exploitation can lead to unauthorized access and compromise the confidentiality and integrity of services protected by mTLS. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog, so active exploitation is not confirmed. The attack requires the ability to send a fragmented ClientHello during a TLS handshake and does not require privileged access on the target system."}}}}, "created": "2026-03-20T14:13:49.576867+00:00", "updated": "2026-03-20T16:27:26.721942+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}