How is CVE-2026-53622 exploited?

Network reachability (required): The attacker must reach the Traefik entrypoint over the network via UDP (QUIC/HTTP/3); no local or physical access is needed. Authentication (not-required): No credentials or client certificate are needed; the exploit works precisely because the mTLS requirement is bypassed during the QUIC handshake. Victim interaction (not-required): The attack is fully client-driven and requires no action from an administrator or end user. Attack complexity (info): Exploit conditions are straightforward and reliable: the attacker simply sends a QUIC ClientHello with a SNI value that does not exactly match the configured hostname, triggering the fallback without any race conditions or environmental tuning.

What is the impact of CVE-2026-53622?

An attacker reads responses from backends that should be restricted to mTLS-authenticated clients, exposing any data those services return (API responses, internal records, session tokens). An attacker sends arbitrary requests to those same backends, modifying persisted state, triggering privileged operations, or injecting data, because the HTTP routing layer still dispatches the request normally after the handshake completes. Any backend service protected solely by a router-specific TLSOptions mTLS policy and exposed over HTTP/3 is reachable as if no client-certificate requirement existed.

Back to search

CRITICALCVE-2026-53622Published 2026-06-23Modified 2026-06-30CNA GitHub_M

CVE-2026-53622: Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in Traefik's HTTP/3 (QUIC) TLS configuration selection. The flaw is reachable over the network without any credentials, because an exact case-sensitive SNI lookup fails to match wildcard host patterns or case variants, causing the handshake to fall back to a default TLS configuration that may not require client certificates. A remote, unauthenticated attacker can complete the QUIC handshake without presenting a client certificate and reach backends that should be protected by mutual TLS (mTLS), gaining unauthorized read and write access to those services. A patched-image rebuild at version 3.7.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53622 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Traefik. Any image with a traefik binary older than 3.7.3 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.1 CVSS v3.1 (Critical) and surfaces it with that severity in each customer's findings dashboard. Per-environment compliance policy weighting is applied to route the finding to the appropriate team inbox, allowing security and platform owners to prioritize remediation without manual triage steps.

Available

Patch

Because no upstream fix was available at initial publication, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix at 3.7.3 is confirmed in the release feed. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request opened against affected workloads will be triggered automatically once the patched base becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Traefik entrypoint over the network via UDP (QUIC/HTTP/3); no local or physical access is needed.
AuthenticationNot required
No credentials or client certificate are needed; the exploit works precisely because the mTLS requirement is bypassed during the QUIC handshake.
Victim interactionNot required
The attack is fully client-driven and requires no action from an administrator or end user.
Attack complexityDetail
Exploit conditions are straightforward and reliable: the attacker simply sends a QUIC ClientHello with a SNI value that does not exactly match the configured hostname, triggering the fallback without any race conditions or environmental tuning.

Blast Radius

An attacker reads responses from backends that should be restricted to mTLS-authenticated clients, exposing any data those services return (API responses, internal records, session tokens).
An attacker sends arbitrary requests to those same backends, modifying persisted state, triggering privileged operations, or injecting data, because the HTTP routing layer still dispatches the request normally after the handshake completes.
Any backend service protected solely by a router-specific TLSOptions mTLS policy and exposed over HTTP/3 is reachable as if no client-certificate requirement existed.

How HarborGuard Handles This

Available on HarborGuard: detection is active for all images containing a traefik binary below version 3.7.3, and the finding is scored Critical (9.1) to surface it at the top of remediation queues. Because version 3.7.3 is the confirmed upstream fix, a patched-image rebuild becomes available as soon as the release is confirmed in the upstream feed. For customers with auto-remediation enabled, HarborGuard triggers a rebuilt image, regression test run, and a PR opened against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in opt-in environments. Until a rebuild is deployed, compensating controls include disabling HTTP/3 (QUIC) on entrypoints where mTLS is enforced, adding network policy or firewall rules to block UDP traffic to affected entrypoints from untrusted sources, and auditing TLSOptions assignments to confirm no wildcard or mixed-case host rules are relied upon for security enforcement. HarborGuard continues monitoring the advisory on every ingest cycle and will update the finding status the moment the patched image rebuild is confirmed available.

See how HarborGuard automates this

Affected packages

traefik / traefik
< 3.7.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Metrics

Get notified