CVE-2026-32305: Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config
There is a potential vulnerability in Traefik’s TLS SNI pre-sniffing logic related to fragmented ClientHello packets.
When a TLS ClientHello is fragmented across multiple records, Traefik’s SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication.
I found a behavior in Traefik’s latest version where fragmented ClientHello packets can cause pre-sniff SNI extraction to not find the sni (EOF during sniff), which makes the TCP router fall back to default routing TLS config.
If the default TLS config does not require client certificates (which is NoClientCert by default), the handshake succeeds without client auth, and the request is later routed to the HTTP Host which should be the protected with client certificate authentication (RequireAndVerifyClientCert tls config).
References
- github.com/advisories/GHSA-wvvq-wgcr-9q48
- github.com/traefik/traefik
- github.com/traefik/traefik/releases/tag/v2.11.41
- github.com/traefik/traefik/releases/tag/v3.6.11
- github.com/traefik/traefik/releases/tag/v3.7.0-ea.2
- github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48
- nvd.nist.gov/vuln/detail/CVE-2026-32305
Code Behaviors & Features
Detect and mitigate CVE-2026-32305 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →