DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32305: CVE-2026-32305: Mutual TLS Bypass via Fragmented ClientHello in Traefik

#security #cve #cybersecurity

CVE-2026-32305: Mutual TLS Bypass via Fragmented ClientHello in Traefik

Vulnerability ID: CVE-2026-32305
CVSS Score: 7.8
Published: 2026-03-20

Traefik versions up to 2.11.40 and 3.6.10 are vulnerable to a mutual TLS (mTLS) bypass. The vulnerability occurs in the TLS Server Name Indication (SNI) pre-sniffing logic when handling fragmented ClientHello packets. This extraction failure results in the proxy falling back to a global default TLS configuration, which allows attackers to bypass route-level mTLS authentication requirements.

TL;DR

A flaw in Traefik's custom SNI pre-sniffing logic allows unauthenticated attackers to bypass route-specific mTLS requirements by transmitting a artificially fragmented TLS ClientHello message.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network
  • CWE ID: CWE-287, CWE-1188
  • CVSS v4.0: 7.8
  • EPSS Score: 0.00046 (13.81%)
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Traefik v2 (<= 2.11.40)
  • Traefik v3 (3.0.0-beta1 to 3.6.10)
  • Traefik v3 (3.7.0-ea.1)
  • Traefik: <= 2.11.40 (Fixed in: 2.11.41)
  • Traefik: >= 3.0.0-beta1, <= 3.6.10 (Fixed in: 3.6.11)
  • Traefik: = 3.7.0-ea.1 (Fixed in: 3.7.0-ea.2)

Exploit Details

Mitigation Strategies

  • Upgrade Traefik to a patched version (2.11.41, 3.6.11, or 3.7.0-ea.2).
  • Configure the default TLS option to enforce mTLS globally via RequireAndVerifyClientCert.
  • Explicitly configure public-facing routes with NoClientCert to invert the default fallback behavior.
  • Deploy network intrusion detection rules to identify heavily fragmented TLS initial handshakes.

Remediation Steps:

  1. Review current Traefik deployment versions across all environments.
  2. Assess whether existing routing rules rely on route-specific mTLS configurations.
  3. Apply the patch by updating the Traefik container image tags to 2.11.41, 3.6.11, or 3.7.0-ea.2.
  4. If patching is delayed, update the dynamic configuration file to set the default TLS option clientAuthType to RequireAndVerifyClientCert.
  5. Verify access to public routes and explicitly apply permissive TLS profiles to them to prevent service disruption.
  6. Restart the Traefik service to apply configuration or binary updates.

References

Read the full report for CVE-2026-32305 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)