TLS Handshake Vulnerability in Traefik HTTP Reverse Proxy and Load Balancer
CVE-2026-26999

7.5HIGH

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
5 March 2026

What is CVE-2026-26999?

Traefik, an HTTP reverse proxy and load balancer, contains a vulnerability related to TLS connections on TCP routers. Prior to versions 2.11.38 and 3.6.9, during the TLS handshake process, the read deadline for protocol sniffing is incorrectly cleared, leading to potential denial of service. If an attacker sends an incomplete TLS record, it can halt further communication, causing the handshake to stall indefinitely. By exploiting this weakness with multiple simultaneous connections, an attacker can exhaust server resources, ultimately impairing the availability of services routed through the affected Traefik entrypoints. The issue has been addressed in the mentioned versions.

Affected Version(s)

traefik < 2.11.38 < 2.11.38

traefik < 3.6.9 < 3.6.9

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.38
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.9
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.