{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48491", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-21T15:33:08.291Z", "datePublished": "2026-06-23T19:12:10.819Z", "dateUpdated": "2026-06-24T14:31:59.477Z"}, "containers": {"cna": {"title": "Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.7.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": ">= 3.7.0, < 3.7.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T19:12:10.819Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3."}], "source": {"advisory": "GHSA-5r4w-85f3-pw66", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T14:31:36.691139Z", "id": "CVE-2026-48491", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T14:31:59.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-48491", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-24T14:31:36.691139Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T14:31:56.247Z"}}], "cna": {"title": "Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass", "source": {"advisory": "GHSA-5r4w-85f3-pw66", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": ">= 3.7.0, < 3.7.3"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3", "name": "https://github.com/traefik/traefik/releases/tag/v3.7.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T19:12:10.819Z"}}}, "cveMetadata": {"cveId": "CVE-2026-48491", "state": "PUBLISHED", "dateUpdated": "2026-06-24T14:31:59.477Z", "dateReserved": "2026-05-21T15:33:08.291Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-23T19:12:10.819Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "Traefik: Traefik: Unauthorized access due to mutual TLS bypass", "id": "2491923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491923"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-807", "details": ["A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability allows an unauthenticated client to bypass mutual Transport Layer Security (TLS) enforcement, a security measure that verifies both client and server identities. The bypass occurs due to an issue in Traefik's domain-fronting protection (SNICheck), which incorrectly processes TLS options for HTTP Host headers. As a result, an attacker can gain unauthorized access to protected backend services without presenting a required client certificate."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid configuring Traefik with wildcard host rules (e.g., Host(*.example.com)) alongside strict TLS options such as RequireAndVerifyClientCert on entrypoints that also serve permissive SNI configurations. Alternatively, restrict network access to Traefik's entrypoints to trusted networks only, thereby limiting potential exposure."}, "name": "CVE-2026-48491", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-06-23T19:12:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-48491\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-48491\nhttps://github.com/traefik/traefik/releases/tag/v3.7.3\nhttps://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66"], "statement": "This is an Important flaw in Traefik that allows an unauthenticated client to bypass mutual TLS authentication. The vulnerability arises from an issue in Traefik's domain-fronting protection when specific wildcard host rules with strict TLS options are used alongside permissive SNI configurations on the same entrypoint. This bypass enables unauthorized access to protected backend services, undermining critical access controls.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.7.0,3.7.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "created": "2026-06-23T20:45:06.974241+00:00", "updated": "2026-06-24T13:45:16.890215+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}