CVE-2026-22045
published 2026-01-15CVE-2026-22045: Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.32%
23.9th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik_v2 | >= 0 < 2.11.35 | 2.11.35 |
| github.com | traefik_traefik_v3 | >= 0 < 3.6.7 | 3.6.7 |
| github.com | traefik_traefik_v3 | >= 0 < 3.6.8 | 3.6.8 |
| traefik | traefik | < 2.11.35 | 2.11.35 |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.0.0 < 3.6.7 | 3.6.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
ghsa·2026-02-12
CVE-2026-25949 [HIGH] CWE-400 Traefik: TCP readTimeout bypass via STARTTLS on Postgres
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
## Impact
There is a potential vulnerability in Traefik managing STARTTLS requests.
An unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service.
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.8
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Description
### Summary
A remote, unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS)
OSV
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
osv·2026-02-12
CVE-2026-25949 [HIGH] Traefik: TCP readTimeout bypass via STARTTLS on Postgres
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
## Impact
There is a potential vulnerability in Traefik managing STARTTLS requests.
An unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service.
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.8
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Description
### Summary
A remote, unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS)
OSV
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall in github.com/traefik/traefik
osv·2026-01-23
CVE-2026-22045 Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall in github.com/traefik/traefik
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall in github.com/traefik/traefik
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall in github.com/traefik/traefik
GHSA
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
ghsa·2026-01-15
CVE-2026-22045 [MEDIUM] CWE-770 Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
## Impact
There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.
A malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, then stop responding, leading to denial of service of the entrypoint.
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.35
- https://github.com/traefik/traefik/releases/tag/v3.6.7
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Descrip
OSV
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
osv·2026-01-15
CVE-2026-22045 [MEDIUM] Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
## Impact
There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.
A malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, then stop responding, leading to denial of service of the entrypoint.
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.35
- https://github.com/traefik/traefik/releases/tag/v3.6.7
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Descrip
Red Hat
traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion
vendor_redhat·2026-01-15·CVSS 5.9
CVE-2026-22045 [MEDIUM] CWE-770 traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion
traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in the ACME TLS-ALPN fast path, where unauthenticated clients can exploit it. B
No detection rules found.
No public exploits indexed.
2026-01-15
Published