Main Vulnerability Database Vulnerabilities #VU129665

Resource exhaustion in Traefik - CVE-2026-26999

Published: May 5, 2026

Vulnerability identifier: #VU129665

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-26999

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Traefik

Software vendor:
Containous

Description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the TCP router TLS handshake handling in (*Router).ServeTCP when processing TLS connections on TCP routers. A remote attacker can send an incomplete TLS record and stop further data transmission to cause a denial of service.

By opening many stalled connections in parallel, file descriptors and goroutines can be exhausted, degrading availability of services on the affected entrypoint.

Remediation

Install security update from vendor's website.

External links

https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94

Resource exhaustion in Traefik - CVE-2026-26999

Description

Remediation

External links

Please verify you're human