Platform
go
Component
github.com/traefik/traefik
Fixed in
2.11.42
3.0.1
3.7.1
3.7.0-ea.2
CVE-2026-32305 describes a potential mTLS bypass vulnerability within Traefik, a popular reverse proxy and load balancer. This flaw allows attackers to circumvent mutual TLS (mTLS) enforcement by exploiting fragmented TLS ClientHello messages, causing Traefik to fall back to a default, non-mTLS TLS configuration. The vulnerability impacts versions of Traefik prior to 3.7.0-ea.2, and a fix has been released.
The primary impact of CVE-2026-32305 is the circumvention of mTLS, a critical security mechanism designed to authenticate both the client and server during TLS connections. Successful exploitation allows an attacker to intercept and potentially modify encrypted traffic, bypassing intended security controls. This could lead to unauthorized access to sensitive data, man-in-the-middle attacks, and compromise of backend services protected by mTLS. The blast radius extends to any service relying on Traefik for mTLS enforcement, potentially exposing a wide range of applications and data.
CVE-2026-32305 was publicly disclosed on March 23, 2026. The vulnerability's complexity suggests a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated, which could accelerate exploitation. Monitor CISA KEV for updates and potential inclusion of this CVE.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32305 is upgrading Traefik to version 3.7.0-ea.2 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as configuring Traefik to reject fragmented TLS ClientHello messages. While this may impact legitimate clients using older TLS libraries, it can reduce the attack surface. Monitor Traefik logs for unusual TLS handshake patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting a fragmented TLS ClientHello connection and verifying that Traefik rejects it.
Update Traefik to version 2.11.41, 3.6.11, or 3.7.0-ea.2 or later. These versions contain the fix to prevent mTLS bypass due to ClientHello packet fragmentation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32305 is a vulnerability in Traefik allowing attackers to bypass mTLS by exploiting fragmented TLS ClientHello messages, potentially leading to unauthorized access.
You are affected if you are running Traefik versions prior to 3.7.0-ea.2 and utilize mTLS for security.
Upgrade Traefik to version 3.7.0-ea.2 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's nature and potential for PoC code suggest a risk of exploitation.
Refer to the official Traefik security advisory on their website for detailed information and updates regarding CVE-2026-32305.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.