Platform
go
Component
github.com/traefik/traefik
Opgelost in
2.11.42
3.0.1
3.7.1
3.7.0-ea.2
CVE-2026-32305 describes a potential mTLS bypass vulnerability within Traefik, a popular reverse proxy and load balancer. This flaw allows attackers to circumvent mutual TLS (mTLS) enforcement by exploiting fragmented TLS ClientHello messages, causing Traefik to fall back to a default, non-mTLS TLS configuration. The vulnerability impacts versions of Traefik prior to 3.7.0-ea.2, and a fix has been released.
The primary impact of CVE-2026-32305 is the circumvention of mTLS, a critical security mechanism designed to authenticate both the client and server during TLS connections. Successful exploitation allows an attacker to intercept and potentially modify encrypted traffic, bypassing intended security controls. This could lead to unauthorized access to sensitive data, man-in-the-middle attacks, and compromise of backend services protected by mTLS. The blast radius extends to any service relying on Traefik for mTLS enforcement, potentially exposing a wide range of applications and data.
CVE-2026-32305 was publicly disclosed on March 23, 2026. The vulnerability's complexity suggests a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated, which could accelerate exploitation. Monitor CISA KEV for updates and potential inclusion of this CVE.
Organizations heavily reliant on Traefik for mTLS enforcement, particularly those with critical backend services protected by mTLS, are at significant risk. Environments utilizing older TLS libraries on client devices are also more vulnerable, as they may generate fragmented ClientHello messages.
• linux / server:
journalctl -u traefik -g 'TLS handshake failed'• generic web:
curl -v --tlsv1.3 https://your-traefik-endpoint.com # Check for fragmented ClientHello supportdisclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-32305 is upgrading Traefik to version 3.7.0-ea.2 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as configuring Traefik to reject fragmented TLS ClientHello messages. While this may impact legitimate clients using older TLS libraries, it can reduce the attack surface. Monitor Traefik logs for unusual TLS handshake patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting a fragmented TLS ClientHello connection and verifying that Traefik rejects it.
Werk Traefik bij naar versie 2.11.41, 3.6.11 of 3.7.0-ea.2 of hoger. Deze versies bevatten de correctie om mTLS omzeiling als gevolg van ClientHello pakketfragmentatie te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-32305 is a vulnerability in Traefik allowing attackers to bypass mTLS by exploiting fragmented TLS ClientHello messages, potentially leading to unauthorized access.
You are affected if you are running Traefik versions prior to 3.7.0-ea.2 and utilize mTLS for security.
Upgrade Traefik to version 3.7.0-ea.2 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's nature and potential for PoC code suggest a risk of exploitation.
Refer to the official Traefik security advisory on their website for detailed information and updates regarding CVE-2026-32305.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.