Main Vulnerability Database Vulnerabilities #VU129663

Resource exhaustion in Traefik - CVE-2026-22045

Published: May 5, 2026

Vulnerability identifier: #VU129663

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-22045

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Containous

Affected software:
Traefik

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in ACME TLS-ALPN handling in pkg/server/router/tcp/router.go when processing stalled TLS-ALPN handshakes. A remote attacker can send a minimal ClientHello with acme-tls/1 and then stop responding to cause a denial of service.

Only entrypoints with the ACME TLS-ALPN challenge enabled and ACME bypass disabled are vulnerable.

How to mitigate CVE-2026-22045

Install security update from vendor's website.

Sources

https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq

Resource exhaustion in Traefik - CVE-2026-22045

Detailed vulnerability description

How to mitigate CVE-2026-22045

Sources

Please verify you're human