PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53622 traefik CVE debrief

Traefik, an HTTP reverse proxy and load balancer, has a critical vulnerability in its HTTP/3 (QUIC) TLS configuration selection. This issue allows unauthenticated clients to bypass router-specific mTLS enforcement. The vulnerability arises because the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI (Server Name Indication) value. This lookup fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Consequently, the handshake falls back to the default TLS configuration, which may not require client certificates. This allows a client to complete the QUIC handshake without presenting a certificate. However, the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in Traefik version 3.7.3.

Vendor
traefik
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-23
Original CVE updated
2026-06-26
Advisory published
2026-06-23
Advisory updated
2026-06-26

Who should care

Administrators and security teams using Traefik for HTTP/3 (QUIC) configurations should be aware of this vulnerability. Specifically, those with deployments matching the affected scenarios—where HTTP/3 is enabled, routers use wildcard Host rules or case-insensitive hostname matching, and router-specific TLSOptions enforce client certificate authentication—should prioritize patching. Additionally, organizations relying on mTLS for security should assess their current configurations and update them according to Traefik's recommendations.

Technical summary

The vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection stems from the case-sensitive and exact SNI value lookup, which fails to match wildcard host patterns or case variants of configured hostnames. This results in the TLS handshake falling back to a default configuration that may not enforce client certificates, allowing unauthenticated clients to bypass mTLS policies. The issue is particularly concerning in scenarios where routers use wildcard Host rules or case-insensitive hostname matching and have router-specific TLSOptions enforcing client certificates. The vulnerability is addressed in Traefik version 3.7.3.

Defensive priority

Given the high CVSS score of 7.8 and the critical nature of this vulnerability, immediate attention is required for Traefik deployments that match the affected conditions. Patching to version 3.7.3 is strongly recommended as a primary defensive measure.

Recommended defensive actions

  • Update Traefik to version 3.7.3 or later to patch the vulnerability.
  • Review and adjust router configurations to ensure they align with security best practices, especially where wildcard Host rules or case-insensitive hostname matching are used.
  • Enhance monitoring for unusual QUIC handshake or mTLS policy bypass attempts.
  • Verify that mTLS policies are correctly enforced across all applicable routers and backends.
  • Consider temporarily disabling HTTP/3 if not essential, until all affected systems are patched.

Evidence notes

The CVE-2026-53622 record and associated NVD details provide critical information about the vulnerability, its impact, and the patch release in Traefik version 3.7.3. Vendor advisories and release notes offer additional context and mitigation strategies.

Official resources

This article is AI-assisted and based on the supplied source corpus.