CVE-2026-32305
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk33th percentile - higher than 33% of all known CVEs
Summary
A vulnerability in Traefik allows bypassing mutual TLS (mTLS) authentication by sending a fragmented ClientHello packet. When SNI extraction fails due to fragmentation, the TCP router falls back to the default TLS configuration, which does not require client certificates.
Risk Assessment
An attacker can access mTLS-protected services without a valid client certificate, violating security policies and potentially leading to unauthorized access to sensitive data.
Recommendation
Immediately upgrade Traefik to versions 2.11.41, 3.6.11, or 3.7.0-ea.2, which contain the fix for this vulnerability.
Original NVD description (English source)
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

