CVE-2026-32305
published 2026-03-20CVE-2026-32305: Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass…
PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.40%
32.3th percentile
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik | 0 – 1.7.34 | — |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.41 | 2.11.41 |
| github.com | traefik_traefik_v3 | >= 0 < 3.6.11 | 3.6.11 |
| github.com | traefik_traefik_v3 | >= 3.7.0-ea.1 < 3.7.0-ea.2 | 3.7.0-ea.2 |
| traefik | traefik | < 2.11.41 | 2.11.41 |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | 3.0.0 – 3.6.11 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik
osv·2026-03-23
CVE-2026-32305 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik
GHSA
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
ghsa·2026-03-20
CVE-2026-32305 [HIGH] CWE-287 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
## Summary
There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets.
When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication.
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.41
- https://github.com/traefik/traefik/releases/tag/v3.6.11
- https://github.com/traef
OSV
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
osv·2026-03-20
CVE-2026-32305 [HIGH] Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
## Summary
There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets.
When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication.
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.41
- https://github.com/traefik/traefik/releases/tag/v3.6.11
- https://github.com/traef
Red Hat
Traefik: github.com/traefik/traefik: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello.
vendor_redhat·2026-03-20·CVSS 7.8
CVE-2026-32305 [HIGH] CWE-179 Traefik: github.com/traefik/traefik: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello.
Traefik: github.com/traefik/traefik: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello.
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32305 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-32305 [MEDIUM] CVE-2026-32305 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32305 :
NixOS vulnerability analysis and mitigation
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Source : NVD
## 7.8
Score
Published March 20
Bugzilla
CVE-2026-32305 netdata: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello. [fedora-42]
bugzilla·2026-03-23·CVSS 7.8
CVE-2026-32305 [HIGH] CVE-2026-32305 netdata: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello. [fedora-42]
CVE-2026-32305 netdata: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello. [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a current
https://github.com/traefik/traefik/releases/tag/v2.11.41https://github.com/traefik/traefik/releases/tag/v3.6.11https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48https://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/security/cve/CVE-2026-32305https://bugzilla.redhat.com/show_bug.cgi?id=2449595https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32305.json
2026-03-20
Published