CVE-2026-22045 in Traefik
Summary
by MITRE • 01/16/2026
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/24/2026
The vulnerability identified as CVE-2026-22045 affects Traefik, a widely deployed HTTP reverse proxy and load balancer that serves as a critical component in modern cloud-native and microservices architectures. This security flaw resides within the Automatic Certificate Management Environment (ACME) TLS certificate generation mechanism, specifically impacting the ACME TLS-ALPN fast path implementation. The vulnerability represents a significant concern for organizations relying on Traefik for their edge routing and TLS termination needs, as it exposes the system to potential denial of service attacks that can compromise service availability and operational continuity.
The technical flaw manifests through a specific race condition and resource management issue within Traefik's handling of ACME TLS challenges. When the ACME TLS challenge is enabled, the system creates go routines and file descriptors to manage the certificate issuance process. However, malicious clients can exploit this by establishing multiple connections and sending minimal ClientHello messages containing the acme-tls/1 protocol identifier, then abruptly ceasing communication. This behavior causes the system to maintain active go routines and file descriptors indefinitely, as the connection handling logic fails to properly timeout or clean up these resources. The vulnerability stems from insufficient connection lifecycle management and inadequate resource cleanup mechanisms, creating a scenario where legitimate system resources become exhausted through resource starvation.
The operational impact of this vulnerability extends beyond simple service disruption, potentially affecting the entire infrastructure that depends on Traefik for routing and security. Attackers can systematically consume system resources by creating numerous connections that remain in a half-open state, leading to exhaustion of available file descriptors and go routine capacity. This type of denial of service attack can render the Traefik entry point unusable, preventing legitimate traffic from reaching backend services and potentially causing cascading failures throughout the affected system. The vulnerability is particularly dangerous in high-traffic environments where resource constraints are already tight, as the attack can quickly escalate from a minor inconvenience to a critical service outage.
Organizations should prioritize immediate remediation by upgrading to Traefik versions 2.11.35 or 3.6.7, which contain the necessary patches to address the resource management issues. The fix implements proper timeout mechanisms and ensures that connections are properly cleaned up even when clients fail to complete the TLS handshake process. Security teams should also implement monitoring solutions to detect unusual connection patterns and resource consumption spikes that may indicate exploitation attempts. Additionally, network-level controls such as connection rate limiting and circuit breaker patterns can provide additional defense-in-depth measures. This vulnerability aligns with CWE-400, which covers "Uncontrolled Resource Consumption" and represents a classic example of how insufficient resource management can lead to denial of service conditions. The attack vector also relates to ATT&CK technique T1499.004, which covers "Endpoint Denial of Service" through resource exhaustion, making this a critical vulnerability for organizations to address promptly.