FIND-20260410-011 · 2026-04-10 · Innovation Veille

CVE-2026-32305 — Traefik mTLS Bypass via Fragmented TLS ClientHello (CVSS 7.8, HIGH)

cve HIGH
Traefik versions prior to 2.11.41, 3.6.11, and 3.7.0-ea.2 contain a critical mTLS bypass vulnerability. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction fails with EOF and returns an empty SNI, causing the TCP router to fall back to the default TLS configuration — which does not require client certificates. This allows an unauthenticated attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS. CVSS 4.0 score 7.8 (High). ODS runs Traefik 3.6.13 as API Gateway — verify mTLS configurations are enforced.

Source

https://github.com/advisories/GHSA-wvvq-wgcr-9q48

ODS Impact

API Gateway (Traefik 3.6.13 on srv-staging) — ODS uses Traefik as the primary API gateway with TLS. If mTLS is enforced on any service-to-service route (OID, DocStore, etc.), those routes could be bypassed. ODS is running a patched version (3.6.13 > 3.6.11) — confirm patch was applied.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

traefik cve mtls tls security api-gateway
Generated by ODS Innovation Veille · 2026-04-10T05:44:55+00:00