CVE-2026-32305 in Traefik
Summary
by MITRE • 03/20/2026
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability described in CVE-2026-32305 represents a critical mTLS bypass flaw in Traefik reverse proxy software that affects multiple version ranges including 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1. This security issue stems from improper handling of TLS ClientHello packets when they are fragmented across multiple TCP records during the initial TLS handshake process. The flaw specifically targets the Server Name Indication (SNI) extraction mechanism that Traefik employs to determine which TLS configuration to apply to incoming connections. When a ClientHello message is fragmented, the SNI extraction logic fails with an EOF error condition and returns an empty SNI value, which triggers a fallback mechanism in the TCP router. This fallback behavior causes Traefik to default to a TLS configuration that does not require client certificate authentication, effectively undermining the intended mutual TLS enforcement at the route level.
The technical implementation of this vulnerability demonstrates a classic case of incomplete error handling in TLS protocol parsing, which can be classified under CWE-248 as an "Exception for which the Exception Handler is Inappropriate" and CWE-707 as "Improper Neutralization of Input During Web Page Generation." The root cause lies in Traefik's inability to properly handle fragmented TLS ClientHello records during the SNI extraction phase, where the system fails to maintain the integrity of the TLS handshake process when encountering packet fragmentation. This issue directly relates to the TLS protocol specification where ClientHello messages can indeed be fragmented across multiple TCP records, but Traefik's implementation does not account for this legitimate TLS behavior properly. The operational impact of this vulnerability is severe as it allows attackers to bypass mTLS enforcement mechanisms that are critical for securing service-to-service communications in microservices architectures, containerized environments, and cloud-native deployments where mutual TLS authentication is enforced at the routing layer.
From an attacker perspective, this vulnerability enables privilege escalation through lateral movement by allowing unauthorized access to services that should only be accessible through proper client certificate authentication. The attack vector aligns with ATT&CK technique T1552.001 for "Unsecured Credentials" and T1071.001 for "Application Layer Protocol: Web Protocols" as it exploits weaknesses in the TLS termination and certificate validation process. The vulnerability is particularly dangerous in environments where Traefik serves as a critical ingress controller or API gateway where mTLS is used to enforce secure communication between services, such as in Kubernetes clusters where Traefik is commonly deployed as an ingress controller. Organizations using Traefik in production environments with route-level mTLS enforcement are at significant risk of unauthorized access to sensitive backend services, potentially leading to data breaches, service disruption, or further compromise of the underlying infrastructure. The fix implemented in versions 2.11.41, 3.6.11, and 3.7.0-ea.2 addresses the core issue by improving the handling of fragmented ClientHello packets and ensuring that SNI extraction maintains proper error handling even when dealing with fragmented TLS records, thereby preventing the fallback to default TLS configurations that would bypass mTLS requirements.
The broader implications of this vulnerability extend beyond immediate security concerns to highlight the importance of robust TLS implementation in modern networking infrastructure. This issue demonstrates how seemingly minor protocol handling decisions can create significant security weaknesses in critical infrastructure components, particularly in the context of cloud-native security where reverse proxies play a central role in traffic management and security enforcement. Organizations should conduct immediate vulnerability assessments of their Traefik deployments to ensure proper patching, while also reviewing their mTLS configurations to understand the potential impact of similar vulnerabilities in other components of their security infrastructure. The vulnerability serves as a reminder of the complexity involved in implementing secure TLS termination and the necessity of thorough testing of protocol edge cases, particularly in systems that handle sensitive communications and authentication flows.