Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN600
_____________________________________________________________________

DATE                : 05/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running traefik versions prior to 2.11.48,
                                          3.6.19, 3.7.3.

=====================================================================
https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2
https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66
https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7
_____________________________________________________________________

Traefik StripPrefix Route-Level Auth Bypass via Path Normalization
High
nmengin published GHSA-xf64-8mw2-4gr2 Jun 5, 2026

Package
Traefik (Go)

Affected versions
<= v2.11.46, <= v3.6.17, <= v3.7.1

Patched versions
v2.11.48, v3.6.19, v3.7.3


Description

Summary

There is a high severity vulnerability in Traefik's StripPrefix
middleware that allows an unauthenticated attacker to bypass route-level
authentication and authorization. When a public router matches on a
PathPrefix rule and applies the StripPrefix middleware, a request path
containing .. or its percent-encoded form %2e%2e can match the public
route at routing time and then, after the prefix is stripped and the
path is normalized, resolve to a path served by a separate, authenticated
router. As a result, an attacker can reach protected backend paths — such
as admin or internal configuration endpoints — without satisfying the
authentication middleware attached to the protected router.


Patches

    https://github.com/traefik/traefik/releases/tag/v2.11.48
    https://github.com/traefik/traefik/releases/tag/v3.6.19
    https://github.com/traefik/traefik/releases/tag/v3.7.3

For more information

If you have any questions or comments about this advisory, please open
an issue.


Original Description

		
		
Severity
High
7.8/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

CVE ID
CVE-2026-48020

Weaknesses
No CWEs

Credits

    @H4ck2 H4ck2 Reporter

_____________________________________________________________________


SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted
mTLS bypass
High
nmengin published GHSA-5r4w-85f3-pw66 Jun 5, 2026

Package
Traefik (Go)

Affected versions
>= v3.7.0, <= v3.7.1

Patched versions
v3.7.3


Description

Summary

There is a high severity vulnerability in Traefik's domain-fronting
protection (SNICheck) that allows an unauthenticated client to bypass
mutual TLS enforced through wildcard router TLSOptions. When a router
uses a wildcard host rule such as Host(*.example.com) with stricter
TLS options (for example RequireAndVerifyClientCert), SNICheck
resolves the TLS options for the HTTP Host header using exact map
lookups only and never applies wildcard matching. If another permissive
SNI is served on the same entrypoint, an attacker can complete the
TLS handshake under the permissive options and then send an HTTP Host
header targeting the wildcard-protected backend, reaching it without
presenting a client certificate. This affects the regular
HTTPS / HTTP-2 path and does not require HTTP/3.


Patches

    https://github.com/traefik/traefik/releases/tag/v3.7.3

For more information

If you have any questions or comments about this advisory, please
open an issue.


Original Description


Severity
High
7.8/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

CVE ID
CVE-2026-48491

Weaknesses
Weakness CWE-288

Credits

    @kamil-sawicki kamil-sawicki Reporter

_____________________________________________________________________


HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and
mixed-case hosts
High
nmengin published GHSA-9cr8-q42q-g8m7 Jun 5, 2026

Package
Traefik (Go)

Affected versions
<= v3.7.2

Patched versions
v3.7.3

Description
Summary

There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS
configuration selection that allows unauthenticated clients to bypass
router-specific mTLS enforcement. When HTTP/3 is enabled on an
entrypoint, the TLS handshake selects the applicable TLS configuration
through an exact, case-sensitive lookup on the SNI value, which fails
to match wildcard host patterns (e.g., *.example.com) or case variants
of the configured hostname. Because the handshake falls back to the
default TLS configuration — which may not require client certificates — a
client can complete the QUIC handshake without presenting a certificate,
while the subsequent HTTP routing layer still dispatches the request to
a backend protected by a router-specific mTLS policy. The issue affects
deployments where HTTP/3 is enabled, a router uses a wildcard Host rule
or case-insensitive hostname matching, a router-specific TLSOptions
enforces client certificate authentication, and UDP access to the
entrypoint is reachable by an attacker.


Patches

    https://github.com/traefik/traefik/releases/tag/v3.7.3

For more information

If you have any questions or comments about this advisory, please open
an issue.


Original Description

Severity
High
7.8/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

CVE ID
No known CVE

Weaknesses
Weakness CWE-288

Credits

    @kamil-sawicki kamil-sawicki Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================