Authentication bypass using an alternate path or channel in Traefik - CVE-2026-53622
Published: July 3, 2026
Traefik
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass client certificate authentication and access protected backends.
The vulnerability exists due to authentication bypass using an alternate path or channel in the HTTP/3 TLS configuration selection logic when handling QUIC handshakes for wildcard or mixed-case hostnames. A remote attacker can send a crafted HTTP/3 request with an SNI value that causes fallback to the default TLS configuration to bypass client certificate authentication and access protected backends.
Exploitation requires HTTP/3 to be enabled on the affected entrypoint, router-specific TLSOptions to enforce client certificate authentication, a weaker default TLS configuration, and attacker reachability to the UDP entrypoint.