CVE-2026-26999Uncontrolled Resource Consumption in Traefik

CWE-400Uncontrolled Resource ConsumptionCWE-772Missing Release of Resource after Effective Lifetime7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 95.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TraefikGithub.com Traefik Traefik V2Github.com Traefik Traefik V3
Timeline
PublishedMar 5
Latest updateMar 10

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthen

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5traefik/traefik< 3.6.9+1
NVDtraefik/traefik3.0.03.6.9+1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) in github.com/traefik/traefik2026-03-10
CVEList
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS)2026-03-05
OSV
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)2026-03-04
GHSA
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)2026-03-04

📋Vendor Advisories

1
Red Hat
github.com/traefik/traefik: Traefik: Denial of Service due to incomplete TLS handshake2026-03-05

🕵️Threat Intelligence

1
Wiz
CVE-2026-26999 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26999 — Uncontrolled Resource Consumption | cvebase