cbcvebase.
CVE-2026-53622
published 2026-06-23

CVE-2026-53622: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection…

PriorityP268critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.24%
14.9th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3.

Affected

5 ranges
VendorProductVersion rangeFixed in
devspacestraefik-rhel9
github.comtraefik_traefik0 – 1.7.34
github.comtraefik_traefik_v20 – 2.11.50
traefiktraefik< 3.7.33.7.3
traefiktraefik>= 0 < 3.7.33.7.3

Detection & IOCsextracted from sources · hover to see the quote

  • HTTP/3 (QUIC) is required for exploitation — monitor for QUIC/UDP traffic to Traefik entrypoints, especially from unauthenticated clients that complete a TLS handshake without presenting a client certificate
  • Look for TLS handshakes on HTTP/3 entrypoints where the SNI value does not exactly match a configured hostname (e.g., uses a wildcard like *.example.com or a case variant), causing fallback to the default TLS configuration without client certificate enforcement
  • Alert on successful QUIC handshake completions to mTLS-protected Traefik routers where no client certificate was presented, followed by HTTP requests being dispatched to the protected backend
  • Identify vulnerable Traefik deployments: HTTP/3 enabled, router with wildcard Host rule or case-insensitive hostname matching, router-specific TLSOptions enforcing client certificate authentication, and UDP port accessible
  • ·Only Traefik versions prior to 3.7.3 are vulnerable; upgrade to 3.7.3 or later to remediate
  • ·The vulnerability is only exploitable when HTTP/3 (QUIC) is explicitly enabled on a Traefik entrypoint; deployments without HTTP/3 are not affected
  • ·Bypass only occurs when the router uses a wildcard Host rule (e.g., *.example.com) or case-insensitive hostname matching combined with a router-specific TLSOptions enforcing mTLS; exact-match hostname routers are not affected by the SNI lookup failure
  • ·Red Hat OpenShift Dev Spaces ships the affected package (devspaces/traefik-rhel9); as a mitigation prior to patching, disable HTTP/3 (QUIC) on Traefik entrypoints and restart the Traefik service

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.