CVE-2026-48491
published 2026-06-23CVE-2026-48491: Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection…
PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.24%
15.6th percentile
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | traefik-rhel9 | — | — |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.7.0 < 3.7.3 | 3.7.3 |
| traefik | traefik | >= 3.7.0 < 3.7.3 | 3.7.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect TLS handshake completed under permissive SNI options where the HTTP Host header targets a wildcard-protected backend (e.g., *.example.com) — mismatch between SNI used in TLS handshake and HTTP Host header value is the attack signature. ↗
- →Flag Traefik instances (versions 3.7.0–3.7.2) where a wildcard host rule (Host(*.example.com)) is configured with RequireAndVerifyClientCert TLS options on an entrypoint that also serves permissive SNI configurations — this is the vulnerable configuration. ↗
- →Monitor for unauthenticated requests reaching mTLS-protected backends in Traefik without a client certificate being presented — indicative of SNICheck bypass exploitation. ↗
- →This vulnerability affects only the regular HTTPS / HTTP-2 path; HTTP/3 traffic is not affected and can be excluded from detection scope. ↗
- ·Vulnerable configuration requires BOTH a wildcard host rule with strict mTLS (RequireAndVerifyClientCert) AND a permissive SNI configuration on the same entrypoint — neither condition alone is sufficient to be exploitable. ↗
- ·Affected Traefik versions are 3.7.0 through 3.7.2; version 3.7.3 contains the fix. Red Hat OpenShift Dev Spaces package devspaces/traefik-rhel9 is confirmed affected. ↗
- ·SNICheck's exact map lookup (no wildcard matching) for HTTP Host header TLS option resolution is the root cause; wildcard routers are never matched, leaving them unprotected when a permissive SNI co-exists on the entrypoint. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Traefik up to 3.7.2 wildcard-protected Backend authentication bypass (GHSA-5r4w-85f3-pw66)
vuldb·2026-06-28·CVSS 10.0
CVE-2026-48491 [CRITICAL] Traefik up to 3.7.2 wildcard-protected Backend authentication bypass (GHSA-5r4w-85f3-pw66)
A vulnerability classified as critical was found in Traefik up to 3.7.2. Impacted is an unknown function of the component wildcard-protected Backend. The manipulation results in authentication bypass using alternate channel.
This vulnerability is known as CVE-2026-48491. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
GHSA
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
ghsa·2026-06-16
CVE-2026-48491 [HIGH] CWE-288 Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
## Summary
There is a high severity vulnerability in Traefik's domain-fronting protection (`SNICheck`) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router `TLSOptions`. When a router uses a wildcard host rule such as `Host(`*.example.com`)` with stricter TLS options (for example `RequireAndVerifyClientCert`), `SNICheck` resolves the TLS options for the HTTP `Host` header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP `Host` header targeting the wildcard-protected backend, reaching it with
Red Hat
Traefik: Traefik: Unauthorized access due to mutual TLS bypass
vendor_redhat·2026-06-23·CVSS 7.8
CVE-2026-48491 [HIGH] CWE-807 Traefik: Traefik: Unauthorized access due to mutual TLS bypass
Traefik: Traefik: Unauthorized access due to mutual TLS bypass
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability allows an unauthenticated client to bypass mutual Transport Layer Security (TLS) enforcement, a security measure that verifies both client and server identities. The bypass occurs due to an issue in Traefik's domain-fronting protection (SNICheck), which incorrectly processes TLS options for HTTP Host headers. As a result, an attacker can gain unauthorized access to protected backend services without presenting a required client certificate.
Statement: This is an Important flaw in Traefik that allows an unauthenticated client to bypass mutual TLS authentication. The vulnerability arises from an issue in Traefik's domain-fronting protection
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/releases/tag/v3.7.3https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66https://access.redhat.com/security/cve/CVE-2026-48491https://bugzilla.redhat.com/show_bug.cgi?id=2491923https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48491.json
2026-06-23
Published