PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25949 traefik CVE debrief

CVE-2026-25949 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. An unauthenticated client can exploit this vulnerability by sending an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in Traefik version 3.6.8. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on February 12, 2026, and last modified on June 30, 2026.

Vendor
traefik
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-12
Original CVE updated
2026-06-30
Advisory published
2026-02-12
Advisory updated
2026-06-30

Who should care

Administrators and users of Traefik versions prior to 3.6.8 should be aware of this vulnerability and take immediate action to upgrade to the patched version. Additionally, defenders and security teams responsible for monitoring and protecting against potential denial-of-service attacks should be aware of this vulnerability and its potential impact.

Technical summary

The vulnerability exists in Traefik's handling of STARTTLS requests. An unauthenticated client can send an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stall, causing connections to remain open indefinitely. This leads to a denial of service, as the connections are not properly closed. The vulnerability is fixed in Traefik version 3.6.8, which properly handles STARTTLS requests and prevents this type of denial-of-service attack.

Defensive priority

High priority should be given to upgrading Traefik to version 3.6.8 or later. Defenders should also monitor for potential denial-of-service attacks and implement additional security measures to prevent exploitation.

Recommended defensive actions

  • Upgrade Traefik to version 3.6.8 or later
  • Monitor for potential denial-of-service attacks
  • Implement additional security measures to prevent exploitation
  • Review and update Traefik configurations to ensure proper handling of STARTTLS requests
  • Consider implementing rate limiting or other traffic management measures to prevent exploitation

Evidence notes

The vulnerability was published on February 12, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability is fixed in Traefik version 3.6.8.

Official resources

This article is AI-assisted and based on the supplied source corpus.