CVE-2026-25949
published 2026-02-12CVE-2026-25949: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.71%
48.8th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik_v3 | >= 0 < 3.6.8 | 3.6.8 |
| traefik | traefik | < 3.6.8 | 3.6.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/traefik/traefik: Traefik: Denial of Service via stalled STARTTLS requests
vendor_redhat·2026-02-12·CVSS 7.5
CVE-2026-25949 [HIGH] CWE-770 github.com/traefik/traefik: Traefik: Denial of Service via stalled STARTTLS requests
github.com/traefik/traefik: Traefik: Denial of Service via stalled STARTTLS requests
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. An unauthenticated client can exploit this vulnerability by sending a specific 8-byte Postgres SSLRequest (STARTTLS) prelude and then intentionally delaying further communication. This action bypasses Traefik's conf
OSV
Traefik: TCP readTimeout bypass via STARTTLS on Postgres in github.com/traefik/traefik
osv·2026-02-17
CVE-2026-25949 Traefik: TCP readTimeout bypass via STARTTLS on Postgres in github.com/traefik/traefik
Traefik: TCP readTimeout bypass via STARTTLS on Postgres in github.com/traefik/traefik
Traefik: TCP readTimeout bypass via STARTTLS on Postgres in github.com/traefik/traefik
GHSA
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
ghsa·2026-02-12
CVE-2026-25949 [HIGH] CWE-400 Traefik: TCP readTimeout bypass via STARTTLS on Postgres
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
## Impact
There is a potential vulnerability in Traefik managing STARTTLS requests.
An unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service.
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.8
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Description
### Summary
A remote, unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS)
OSV
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
osv·2026-02-12
CVE-2026-25949 [HIGH] Traefik: TCP readTimeout bypass via STARTTLS on Postgres
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
## Impact
There is a potential vulnerability in Traefik managing STARTTLS requests.
An unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service.
## Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.8
## For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
Original Description
### Summary
A remote, unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS)
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678https://github.com/traefik/traefik/releases/tag/v3.6.8https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2whttps://access.redhat.com/errata/RHSA-2026:6192https://access.redhat.com/security/cve/CVE-2026-25949https://bugzilla.redhat.com/show_bug.cgi?id=2439522https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25949.json
2026-02-12
Published