HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48491Published Modified CNA GitHub_M

CVE-2026-48491: Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass

Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in Traefik versions 3.7.0 through 3.7.2, affecting the SNICheck domain-fronting protection layer. The flaw is reachable over the network with no credentials required: an unauthenticated attacker on the internet can complete a TLS handshake using a permissive SNI on the same entrypoint, then send an HTTP Host header targeting a backend that is supposed to require mutual TLS (client certificate verification), bypassing that requirement entirely. Successful exploitation lets the attacker read data from and write data to backends that should have been protected by mTLS. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all Traefik images in customer registries and CI pipelines, including custom-built images that bundle Traefik as a base or dependency layer.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 Critical and weighting it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on workload ownership rules.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears in the upstream Traefik release feed. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once that fix lands.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Traefik entrypoint over the network; exposure to the internet or any network path to the HTTPS listener is sufficient.

  • AuthenticationNot required

    No credentials or client certificate are needed; the attacker initiates the bypass as a fully unauthenticated client.

  • Victim interactionNot required

    The attacker acts entirely on their own; no action by an operator, user, or backend service is required to trigger the bypass.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: the attacker simply connects with a permissive SNI on the shared entrypoint and then sends a crafted Host header, with no race conditions or special memory layout required.

Blast Radius

  • Reads responses from mTLS-protected backends that should have rejected the connection, exposing any data those services return including API responses, session tokens, or internal records.
  • Sends arbitrary requests to wildcard-protected backends, allowing modification of application state, triggering of privileged operations, or injection of malicious payloads into backend processing pipelines.
  • Undermines the mTLS boundary entirely for any router using a wildcard Host rule with stricter TLSOptions on an entrypoint that also serves a permissive SNI, potentially affecting multiple backends behind the same Traefik instance.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version exists for CVE-2026-48491 as of publication, HarborGuard continuously re-checks the Traefik advisory on every ingest cycle and will surface a patched-image rebuild automatically once version 3.7.3 or a later fix appears upstream. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and open a PR against all workloads running an affected Traefik image. In the interim, compensating controls worth considering include applying a network policy that restricts access to Traefik entrypoints to known, trusted source CIDRs only; placing mTLS-protected backends on dedicated entrypoints that do not share a listener with any permissive-SNI routers; and auditing existing wildcard Host rules to confirm which ones rely on TLSOptions for access control. HarborGuard will notify affected environments through the standard findings feed the moment a fix version is confirmed.

See how HarborGuard automates this
Affected packages
  • traefik / traefik
    >= 3.7.0, < 3.7.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References