CVE-2026-53622
published 2026-06-23CVE-2026-53622: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection…
PriorityP268critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.24%
14.9th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | traefik-rhel9 | — | — |
| github.com | traefik_traefik | 0 – 1.7.34 | — |
| github.com | traefik_traefik_v2 | 0 – 2.11.50 | — |
| traefik | traefik | < 3.7.3 | 3.7.3 |
| traefik | traefik | >= 0 < 3.7.3 | 3.7.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP/3 (QUIC) is required for exploitation — monitor for QUIC/UDP traffic to Traefik entrypoints, especially from unauthenticated clients that complete a TLS handshake without presenting a client certificate ↗
- →Look for TLS handshakes on HTTP/3 entrypoints where the SNI value does not exactly match a configured hostname (e.g., uses a wildcard like *.example.com or a case variant), causing fallback to the default TLS configuration without client certificate enforcement ↗
- →Alert on successful QUIC handshake completions to mTLS-protected Traefik routers where no client certificate was presented, followed by HTTP requests being dispatched to the protected backend ↗
- →Identify vulnerable Traefik deployments: HTTP/3 enabled, router with wildcard Host rule or case-insensitive hostname matching, router-specific TLSOptions enforcing client certificate authentication, and UDP port accessible ↗
- ·Only Traefik versions prior to 3.7.3 are vulnerable; upgrade to 3.7.3 or later to remediate ↗
- ·The vulnerability is only exploitable when HTTP/3 (QUIC) is explicitly enabled on a Traefik entrypoint; deployments without HTTP/3 are not affected ↗
- ·Bypass only occurs when the router uses a wildcard Host rule (e.g., *.example.com) or case-insensitive hostname matching combined with a router-specific TLSOptions enforcing mTLS; exact-match hostname routers are not affected by the SNI lookup failure ↗
- ·Red Hat OpenShift Dev Spaces ships the affected package (devspaces/traefik-rhel9); as a mitigation prior to patching, disable HTTP/3 (QUIC) on Traefik entrypoints and restart the Traefik service ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/traefik/traefik: Traefik: mTLS enforcement bypass due to HTTP/3 TLS configuration flaw
vendor_redhat·2026-06-23·CVSS 7.8
CVE-2026-53622 [HIGH] CWE-289 github.com/traefik/traefik: Traefik: mTLS enforcement bypass due to HTTP/3 TLS configuration flaw
github.com/traefik/traefik: Traefik: mTLS enforcement bypass due to HTTP/3 TLS configuration flaw
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection allows unauthenticated clients to bypass router-specific mutual Transport Layer Security (mTLS) enforcement. When HTTP/3 is enabled and a router uses wildcard host rules or case-insensitive hostname matching with client certificate authentication, an attacker can complete the QUIC handshake without presenting a certificate. This bypass grants unauthorized access to a backend that should be protected by mTLS.
Statement: This Important flaw in Traefik, as shipped in Red Hat OpenShift Dev Spaces, allows unauthenticated clients to bypass mutual
VulDB
Traefik up to 3.7.2 SNI authentication bypass (GHSA-9cr8-q42q-g8m7)
vuldb·2026-06-28·CVSS 10.0
CVE-2026-53622 [CRITICAL] Traefik up to 3.7.2 SNI authentication bypass (GHSA-9cr8-q42q-g8m7)
A vulnerability, which was classified as critical, has been found in Traefik up to 3.7.2. The affected element is an unknown function. This manipulation of the argument SNI causes authentication bypass using alternate channel.
This vulnerability is handled as CVE-2026-53622. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
ghsa·2026-06-16
CVE-2026-53622 [HIGH] CWE-288 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
## Summary
There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., `*.example.com`) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the reque
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/releases/tag/v3.7.3https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7https://access.redhat.com/security/cve/CVE-2026-53622https://bugzilla.redhat.com/show_bug.cgi?id=2491924https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53622.json
2026-06-23
Published