Traefik mTLS Bypass via SNI Pre-Sniffing in v2.11.40-/3.6.11 & 3.7.0-ea.1
CVE-2026-32305 Published on March 20, 2026
Traefik mTLS bypass via fragmented ClientHello SNI extraction failure
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Vulnerability Analysis
CVE-2026-32305 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Types
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2026-32305 has been classified to as an authentification vulnerability or weakness.
Insecure Default Initialization of Resource
The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
Incorrect Behavior Order: Early Validation
The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. Software needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that result in dangerous inputs that are produced by canonicalization and cleansing.
Products Associated with CVE-2026-32305
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-32305 are published in these products:
Affected Versions
traefik:- Version < 2.11.41 is affected.
- Version >= 3.0.0-beta1, < 3.6.11 is affected.
- Version >= 3.7.0-ea.1, < 3.7.0-ea.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.