SB2026050533 - Multiple vulnerabilities in Traefik

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050533

SB2026050533 - Multiple vulnerabilities in Traefik

Published: May 5, 2026

Security Bulletin ID SB2026050533
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2026-32305)

The vulnerability allows a remote attacker to bypass mutual TLS authentication and access services protected by route-level mTLS.

The vulnerability exists due to improper security decision based on incomplete input in TLS SNI pre-sniffing logic when processing fragmented TLS ClientHello records. A remote attacker can send a specially crafted fragmented ClientHello to bypass mutual TLS authentication and access services protected by route-level mTLS.

Exploitation requires route-level TLS options to enforce mTLS for a host while the default TLS configuration is weaker and pre-sniff SNI extraction fails with an empty SNI.


2) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-32595)

The vulnerability allows a remote attacker to enumerate valid usernames.

The vulnerability exists due to observable timing discrepancy in the BasicAuth middleware when validating submitted credentials. A remote attacker can send authentication requests and measure response times to enumerate valid usernames.

Only deployments with the BasicAuth middleware enabled are vulnerable.


3) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-32695)

The vulnerability allows a remote user to bypass host and header routing constraints and redirect unauthorized traffic to victim services.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in Traefik Kubernetes Knative provider router rule construction when interpolating user-controlled host or header values into backtick-delimited rule expressions. A remote user can create or update a crafted Knative Ingress resource to bypass host and header routing constraints and redirect unauthorized traffic to victim services.

Exploitation depends on admission or validation policy and on the ability to create or modify Knative Ingress resources in shared or multi-tenant deployments.


Remediation

Install update from vendor's website.

References