CVE-2026-22045

Name
CVE-2026-22045
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d
MISC https://github.com/traefik/traefik/releases/tag/v2.11.35
MISC https://github.com/traefik/traefik/releases/tag/v3.6.7
CONFIRM https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq

Match rules

CPE URI Source package Min version Max version
traefik >= 0 < 2.11.35
traefik >=3.0.0-beta1 < 3.6.7
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* traefik >= None < 2.11.35
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* traefik >= 3.0.0 < 3.6.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
traefik edge-community 3.6.6-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.6-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.4-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.2-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.6.2-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.5.0-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.5.0-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.5.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.4.0-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.4.0-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.4.0-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.4-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.3-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.2-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.3.2-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.1.7-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 3.1.3-r0 None possibly vulnerable
traefik edge-community 2.9.10-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 2.9.6-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik edge-community 2.2.8-r0 None possibly vulnerable
traefik 3.23-community 3.6.2-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik 3.23-community 3.6.2-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
traefik 3.23-community 3.6.2-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable