cbcvebase.
CVE-2026-48491
published 2026-06-23

CVE-2026-48491: Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection…

PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.24%
15.6th percentile
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.

Affected

4 ranges
VendorProductVersion rangeFixed in
devspacestraefik-rhel9
traefiktraefik
traefiktraefik>= 3.7.0 < 3.7.33.7.3
traefiktraefik>= 3.7.0 < 3.7.33.7.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect TLS handshake completed under permissive SNI options where the HTTP Host header targets a wildcard-protected backend (e.g., *.example.com) — mismatch between SNI used in TLS handshake and HTTP Host header value is the attack signature.
  • Flag Traefik instances (versions 3.7.0–3.7.2) where a wildcard host rule (Host(*.example.com)) is configured with RequireAndVerifyClientCert TLS options on an entrypoint that also serves permissive SNI configurations — this is the vulnerable configuration.
  • Monitor for unauthenticated requests reaching mTLS-protected backends in Traefik without a client certificate being presented — indicative of SNICheck bypass exploitation.
  • This vulnerability affects only the regular HTTPS / HTTP-2 path; HTTP/3 traffic is not affected and can be excluded from detection scope.
  • ·Vulnerable configuration requires BOTH a wildcard host rule with strict mTLS (RequireAndVerifyClientCert) AND a permissive SNI configuration on the same entrypoint — neither condition alone is sufficient to be exploitable.
  • ·Affected Traefik versions are 3.7.0 through 3.7.2; version 3.7.3 contains the fix. Red Hat OpenShift Dev Spaces package devspaces/traefik-rhel9 is confirmed affected.
  • ·SNICheck's exact map lookup (no wildcard matching) for HTTP Host header TLS option resolution is the root cause; wildcard routers are never matched, leaving them unprotected when a permissive SNI co-exists on the entrypoint.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.