Primary

Context

Traefik mTLS Bypass Vulnerability via Fragmented TLS ClientHello SNI Extraction Failure

Vulnerability

Patched

A vulnerability in Traefik's HTTP reverse proxy and load balancer can lead to a bypass of mutual TLS (mTLS) authentication. This issue affects Traefik versions 2.11.40 and prior, 3.0.0-beta1 through 3.6.10, and 3.7.0-ea.1. The vulnerability arises from the TLS Server Name Indication (SNI) pre-sniffing logic, which improperly handles fragmented ClientHello packets. When the ClientHello is split across multiple records, Traefik may fail to extract the SNI correctly, defaulting to a TLS configuration that does not require client certificates. As a result, an attacker could access services that should mandate mTLS authentication.

Impact

Exploitation of this vulnerability allows for a route-level mTLS enforcement bypass, granting access to services that require mutual TLS authentication.

Remediation

Users can upgrade to Traefik versions 2.11.41, 3.6.11, or 3.7.0-ea.2 to address this vulnerability.

Added: Mar 20, 2026, 11:27 AM

Updated: Mar 20, 2026, 11:27 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

8.3

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

8.3

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Traefik mTLS Bypass Vulnerability via Fragmented TLS ClientHello SNI Extraction Failure

Vulnerability

Impact

Remediation

Affected Products

Traefik

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating