CVE-2026-48491
Received Received - Intake
Traefik Domain-Fronting Bypass via SNICheck in 3.7.0-3.7.3

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
traefik traefik From 3.7.0 (inc) to 3.7.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Traefik's domain-fronting protection (SNICheck) from versions 3.7.0 to 3.7.1. It allows an unauthenticated client to bypass mutual TLS (mTLS) enforcement when using wildcard router TLSOptions. Specifically, when a router uses a wildcard host rule like Host(`*.example.com`) with strict TLS options such as RequireAndVerifyClientCert, SNICheck only performs exact map lookups for TLS options based on the HTTP Host header and does not apply wildcard matching.

If there is another permissive SNI on the same entrypoint, an attacker can complete the TLS handshake using the permissive options and then send an HTTP Host header targeting the wildcard-protected backend. This allows the attacker to reach the backend without presenting a client certificate, effectively bypassing mTLS protection.

This issue affects HTTPS and HTTP/2 paths and does not require HTTP/3. The root cause is that SNICheck does not perform wildcard matching for TLS options, unlike the router's HostSNI matching, enabling domain fronting attacks.

Impact Analysis

This vulnerability can allow an attacker to bypass mutual TLS authentication controls that are expected to secure backend services. By exploiting the domain fronting issue, an unauthenticated attacker can access services protected by strict mTLS policies without presenting a valid client certificate.

This can lead to unauthorized access to sensitive backend services, potentially exposing confidential data or allowing unauthorized actions within the protected environment.

Because the attack requires only network access and no privileges or user interaction, it poses a significant risk to the confidentiality and integrity of the affected systems.

Detection Guidance

This vulnerability involves bypassing mutual TLS (mTLS) enforcement through domain fronting by exploiting wildcard router TLSOptions in Traefik versions 3.7.0 to 3.7.3. Detection involves identifying if your Traefik setup uses wildcard host rules (e.g., Host(`*.example.com`)) combined with stricter TLS options like RequireAndVerifyClientCert.

To detect potential exploitation attempts on your network or system, monitor TLS handshakes and HTTP Host headers for mismatches where a permissive SNI is used during the TLS handshake but the HTTP Host header targets a wildcard-protected backend requiring mTLS.

Suggested commands include capturing and analyzing network traffic with tools like tcpdump or Wireshark to inspect TLS handshakes and HTTP headers:

  • Use tcpdump to capture TLS handshakes on port 443: tcpdump -i <interface> -w capture.pcap port 443
  • Analyze the capture with Wireshark to check for TLS SNI values and HTTP Host headers that do not match expected mTLS enforcement.
  • Check Traefik logs for unusual requests where the TLS handshake succeeded under permissive options but the HTTP Host header targets a wildcard mTLS-protected backend.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of wildcard router TLSOptions for mutual TLS enforcement in Traefik.

Other recommended actions are:

  • Enumerate exact hostnames instead of using wildcard host rules in your router configurations.
  • Enforce mutual TLS in the default TLS options rather than relying on wildcard router TLSOptions.
  • Avoid mixing permissive and mutual TLS hosts on the same entrypoint to prevent domain fronting.
  • Block domain-fronted requests at another layer, such as a firewall or web application firewall.

Ultimately, upgrade Traefik to version 3.7.3 or later, where this vulnerability is fixed.

Compliance Impact

The vulnerability allows an unauthenticated client to bypass mutual TLS (mTLS) protections, potentially exposing sensitive data by circumventing expected security boundaries. This can lead to unauthorized access to protected resources, which may result in violations of data protection requirements under standards like GDPR and HIPAA that mandate strict access controls and encryption to protect confidentiality and integrity of data.

Because the exploit enables attackers to bypass client certificate verification, it undermines the security guarantees that organizations rely on to comply with regulations requiring strong authentication and data protection measures. Therefore, if exploited, this vulnerability could negatively impact an organization's compliance posture with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48491. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart