Traefik HTTP/3 mTLS Bypass Vulnerability: A Deep Dive Analysis

Overview

A recently discovered vulnerability in Traefik, identified as CVE-2026-53622, poses a significant risk to deployments that utilize router-specific TLSOptions for access control. This vulnerability, rated with a severity score of 7.8, enables unauthenticated clients to bypass mutual TLS (mTLS) enforcement for HTTP/3 connections. The issue arises from the way Traefik selects TLS configurations during the QUIC handshake, which fails to properly match wildcard host patterns or case variants of configured hostnames, leading to a fallback to the default TLS configuration that may not require client certificates.

Technical Details

The vulnerability is rooted in the implementation of the `GetTLSGetClientInfo` function in Traefik's TCP router. This function performs an exact, case-sensitive lookup of the Server Name Indication (SNI) value to select the applicable TLS configuration. However, this approach has two major shortcomings:

• It fails to match wildcard host patterns (e.g., `*.example.com`).
• It does not account for case variants of the configured hostname.

As a result, when HTTP/3 is enabled on an entrypoint and a router uses a wildcard `Host` rule or case-insensitive hostname matching with a router-specific `TLSOptions` that enforces client certificate authentication, an attacker can exploit this vulnerability. The attacker can complete the QUIC handshake without presenting a certificate, as the handshake falls back to the default TLS configuration, which may not require client certificates. Subsequently, the HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy.

Impact Analysis

The impact of this vulnerability is severe, particularly for deployments that rely on mTLS as an access-control boundary for HTTP/3. An unauthenticated attacker can access protected backends without providing a client certificate, potentially leading to the exposure of confidential data or allowing unauthorized backend operations. This vulnerability is especially concerning because it does not require credentials, user interaction, or a prior foothold on the system.

Mitigation Strategies

Until a fix is available (patched in version v3.7.3), several workarounds can mitigate the risk:

• Disable HTTP/3 on entrypoints that rely on router-specific mTLS to prevent the exploitation vector.
• Enforce mTLS in the default TLS options to ensure that the fallback TLS configuration is not weaker than the router-specific configuration.
• Block UDP access to the HTTP/3 entrypoint to limit the attack surface.
• Enforce client authentication at an additional layer behind Traefik to add an extra security barrier.