{
  "threat_severity" : "Important",
  "public_date" : "2026-03-20T10:01:13Z",
  "bugzilla" : {
    "description" : "Traefik: github.com/traefik/traefik: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello.",
    "id" : "2449595",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449595"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-179",
  "details" : [ "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.", "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. A remote attacker can exploit this vulnerability by sending fragmented ClientHello packets during the Transport Layer Security (TLS) handshake. This causes Traefik's Server Name Indication (SNI) extraction to fail, leading to a fallback to a default TLS configuration that does not require client certificates. This allows an attacker to bypass mutual TLS (mTLS) authentication, gaining unauthorized access to services that should be protected by client certificate requirements." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.27",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10175",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9",
    "package" : "devspaces/traefik-rhel9:1776718585"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argo-rollouts-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32305\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32305\nhttps://github.com/traefik/traefik/releases/tag/v2.11.41\nhttps://github.com/traefik/traefik/releases/tag/v3.6.11\nhttps://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\nhttps://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48" ],
  "name" : "CVE-2026-32305",
  "mitigation" : {
    "value" : "To mitigate unauthorized access, restrict network access to the Traefik instance to only trusted clients and networks. Implement firewall rules to limit inbound connections to the ports Traefik listens on for mTLS-protected services. For example, using `firewalld`, specific source IP addresses or networks can be allowed. After applying firewall rules, ensure the firewall service is reloaded for changes to take effect. This reduces the attack surface by preventing untrusted external access to the Traefik instance.",
    "lang" : "en:us"
  },
  "csaw" : false
}