CVE-2026-53622
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
In Traefik prior to 3.7.3, a critical vulnerability in HTTP/3 (QUIC) TLS configuration selection allows unauthenticated clients to bypass router-specific mTLS enforcement. The TLS handshake fails to match wildcard host patterns (e.g., *.example.com) or case variants, falling back to a default TLS config that may not require client certificates.
Risk Assessment
An attacker can access protected backends without presenting a required client certificate, violating mTLS security policies and potentially leading to unauthorized access to sensitive resources.
Recommendation
Upgrade Traefik to version 3.7.3 or later immediately. If upgrading is not possible, temporarily disable HTTP/3 on entrypoints where mTLS policies with wildcard rules are used.
Original NVD description (English source)
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3.

