PatchSiren cyber security CVE debrief
CVE-2026-25949 traefik CVE debrief
CVE-2026-25949 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. An unauthenticated client can exploit this vulnerability by sending an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in Traefik version 3.6.8. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on February 12, 2026, and last modified on June 30, 2026.
- Vendor
- traefik
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-12
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-12
- Advisory updated
- 2026-06-30
Who should care
Administrators and users of Traefik versions prior to 3.6.8 should be aware of this vulnerability and take immediate action to upgrade to the patched version. Additionally, defenders and security teams responsible for monitoring and protecting against potential denial-of-service attacks should be aware of this vulnerability and its potential impact.
Technical summary
The vulnerability exists in Traefik's handling of STARTTLS requests. An unauthenticated client can send an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stall, causing connections to remain open indefinitely. This leads to a denial of service, as the connections are not properly closed. The vulnerability is fixed in Traefik version 3.6.8, which properly handles STARTTLS requests and prevents this type of denial-of-service attack.
Defensive priority
High priority should be given to upgrading Traefik to version 3.6.8 or later. Defenders should also monitor for potential denial-of-service attacks and implement additional security measures to prevent exploitation.
Recommended defensive actions
- Upgrade Traefik to version 3.6.8 or later
- Monitor for potential denial-of-service attacks
- Implement additional security measures to prevent exploitation
- Review and update Traefik configurations to ensure proper handling of STARTTLS requests
- Consider implementing rate limiting or other traffic management measures to prevent exploitation
Evidence notes
The vulnerability was published on February 12, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability is fixed in Traefik version 3.6.8.
Official resources
-
CVE-2026-25949 CVE record
CVE.org
-
CVE-2026-25949 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.