FIND-20260404-003 · 2026-04-04 · Innovation Veille

CVE-2026-32305: Traefik mTLS Bypass via Fragmented TLS ClientHello (CVSS 7.8) — Fixed in v3.6.11+

cve HIGH
CVE-2026-32305 (CVSS v4.0: 7.8) is a mutual TLS bypass in Traefik affecting all versions before 3.6.11 and 2.11.41. When a TLS ClientHello is fragmented across multiple TCP records, Traefik's SNI extraction fails and falls back to the default TLS config which does not require client certificates. An unauthenticated remote attacker can bypass route-level mTLS enforcement with no user interaction required. Fixed in Traefik 3.6.11 (released March 2026). ODS currently tracks Traefik 3.6.12 in last-versions.json which already includes this fix. Two additional CVEs were fixed in 3.6.12: CVE-2026-33433 (BasicAuth/DigestAuth identity spoofing via non-canonical header) and CVE-2026-33186.

Source

https://github.com/advisories/GHSA-wvvq-wgcr-9q48

ODS Impact

Traefik is the ODS API Gateway. If ODS is running any version of Traefik below 3.6.11, mTLS enforcement protecting internal service-to-service communication can be bypassed. Traefik 3.6.12 (already in last-versions.json) contains all fixes. Verify the deployed Traefik container version on srv-staging and ensure it is 3.6.12 or later.

Security Review

N/A

Tags

traefik cve mtls tls api-gateway security high-severity
Generated by ODS Innovation Veille · 2026-04-04T07:05:13+00:00