Authentication bypass using an alternate path or channel in Traefik - CVE-2026-48491
Published: July 3, 2026
Traefik
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass mutual TLS authentication and access protected backends.
The vulnerability exists due to improper authentication in SNICheck when resolving TLSOptions for wildcard host rules during domain-fronted HTTPS or HTTP/2 requests. A remote attacker can complete a TLS handshake using a permissive SNI and then send a crafted Host header targeting a wildcard-protected backend to bypass mutual TLS authentication and access protected backends.
Exploitation requires a wildcard-protected router with stricter TLS options and another permissive SNI served on the same entrypoint.