Vulnerability-Lookup

CVE-2026-22045 (GCVE-0-2026-22045)

Vulnerability from cvelistv5 – Published: 2026-01-15 22:44 – Updated: 2026-01-15 22:44

Title

Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall

Summary

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

	https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
	https://github.com/traefik/traefik/commit/e9f3089…	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v3.6.7	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	traefik	traefik	Affected: < 2.11.35 Affected: >=3.0.0-beta1, < 3.6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.35"
            },
            {
              "status": "affected",
              "version": "\u003e=3.0.0-beta1, \u003c 3.6.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates\u0027 automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-15T22:44:05.423Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"
        },
        {
          "name": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v2.11.35",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v2.11.35"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.7"
        }
      ],
      "source": {
        "advisory": "GHSA-cwjm-3f7h-9hwq",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik\u0027s ACME TLS-ALPN fast path lacks timeouts and close on handshake stall"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22045",
    "datePublished": "2026-01-15T22:44:05.423Z",
    "dateReserved": "2026-01-05T22:30:38.720Z",
    "dateUpdated": "2026-01-15T22:44:05.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22045\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-15T23:15:51.593\",\"lastModified\":\"2026-01-16T15:55:12.257\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates\u0027 automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v2.11.35\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.6.7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-22045

Vulnerability from fkie_nvd - Published: 2026-01-15 23:15 - Updated: 2026-01-16 15:55

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.35
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.7
	security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates\u0027 automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."
    }
  ],
  "id": "CVE-2026-22045",
  "lastModified": "2026-01-16T15:55:12.257",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-15T23:15:51.593",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.35"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-CWJM-3F7H-9HWQ

Vulnerability from github – Published: 2026-01-15 22:58 – Updated: 2026-01-16 15:20

Summary

Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall

Details

Impact

There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.

A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.35
https://github.com/traefik/traefik/releases/tag/v3.6.7

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description # \[Security\] ACME TLS-ALPN fast path lacks timeouts and close on handshake stall Dear Traefik security team, We believe we have identified a resource-exhaustion issue in the ACME TLS-ALPN fast path that can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled. ## Summary - Affected code: `pkg/server/router/tcp/router.go` (ACME TLS-ALPN handling). - When a ClientHello advertises `acme-tls/1`, Traefik intercepts it and calls `tls.Server(...).Handshake()` without any read/write deadlines and without closing the connection afterward. - Immediately before this branch, existing deadlines set by the entrypoint are cleared. - A client that sends the ALPN marker and then stops responding can keep the goroutine and socket open indefinitely, potentially exhausting the entrypoint under load. - Exposure is limited to entrypoints where the ACME TLS-ALPN challenge is enabled and ACME bypass is not allowed. ## Relevant snippets ```143:171:pkg/server/router/tcp/router.go // Deadlines are cleared before protocol dispatch if err := conn.SetDeadline(time.Time{}); err != nil { log.Error().Err(err).Msg("Error while setting deadline") } // ACME TLS-ALPN fast path if !r.acmeTLSPassthrough && slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) { r.acmeTLSALPNHandler().ServeTCP(r.GetConn(conn, hello.peeked)) return }


```224:226:pkg/server/router/tcp/router.go
// Handler invoked by the branch above
return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
    _ = tls.Server(conn, r.httpsTLSConfig).Handshake()
})

## Impact - Each stalled handshake consumes a goroutine and FD with no timeout and no server-side close. - A malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, then stop responding, leading to denial of service of the entrypoint. - Normal HTTPS handling uses `http.Server` timeouts; this bespoke path bypasses them. ## Conditions for exploitation - ACME TLS-ALPN challenge enabled (default when configured). - `allowACMEByPass` disabled for the entrypoint (the default when ACME TLS challenge is handled by Traefik). ## CWE - CWE-400: Uncontrolled Resource Consumption. ## Proposed fix (illustrative)

@@ func (r *Router) acmeTLSALPNHandler() tcp.Handler {
-    return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
-        _ = tls.Server(conn, r.httpsTLSConfig).Handshake()
-    })
+    return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
+        // Ensure the handshake cannot block indefinitely and always closes the socket.
+        _ = conn.SetReadDeadline(time.Now().Add(10 * time.Second))
+        _ = conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
+
+        tlsConn := tls.Server(conn, r.httpsTLSConfig)
+        _ = tlsConn.Handshake()
+        _ = tlsConn.Close() // close regardless of handshake outcome
+    })
 }

Alternatively, route ACME TLS-ALPN through the existing `tcp.TLSHandler`/HTTP server path so the configured timeouts and lifecycle management apply automatically. ## CVSS v3.1 (estimate) - Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Base score: 7.5 (High) - Rationale: Network-only, no auth/user interaction required; impact is service availability via resource exhaustion; no confidentiality or integrity impact. Please let us know if you would like a PoC or further details. We have not made any code changes in this report. Let us know if you have any questions or need clarification\! Best wishes, Pavel Kohout Aisle Research

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.34"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T22:58:23Z",
    "nvd_published_at": "2026-01-15T23:15:51Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nThere is a potential vulnerability in Traefik ACME TLS certificates\u0027 automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.\n\nA malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, then stop responding, leading to denial of service of the entrypoint.  \n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.35\n- https://github.com/traefik/traefik/releases/tag/v3.6.7\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n# \\[Security\\] ACME TLS-ALPN fast path lacks timeouts and close on handshake stall\n\nDear Traefik security team,\n\nWe believe we have identified a resource-exhaustion issue in the ACME TLS-ALPN fast path that can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.\n\n## Summary\n\n- Affected code: `pkg/server/router/tcp/router.go` (ACME TLS-ALPN handling).  \n- When a ClientHello advertises `acme-tls/1`, Traefik intercepts it and calls `tls.Server(...).Handshake()` without any read/write deadlines and without closing the connection afterward.  \n- Immediately before this branch, existing deadlines set by the entrypoint are cleared.  \n- A client that sends the ALPN marker and then stops responding can keep the goroutine and socket open indefinitely, potentially exhausting the entrypoint under load.  \n- Exposure is limited to entrypoints where the ACME TLS-ALPN challenge is enabled and ACME bypass is not allowed.\n\n## Relevant snippets\n```143:171:pkg/server/router/tcp/router.go\n// Deadlines are cleared before protocol dispatch\nif err := conn.SetDeadline(time.Time{}); err != nil {\n    log.Error().Err(err).Msg(\"Error while setting deadline\")\n}\n\n// ACME TLS-ALPN fast path\nif !r.acmeTLSPassthrough \u0026\u0026 slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) {\n    r.acmeTLSALPNHandler().ServeTCP(r.GetConn(conn, hello.peeked))\n    return\n}\n```\n\n```224:226:pkg/server/router/tcp/router.go\n// Handler invoked by the branch above\nreturn tcp.HandlerFunc(func(conn tcp.WriteCloser) {\n    _ = tls.Server(conn, r.httpsTLSConfig).Handshake()\n})\n```\n\n## Impact\n\n- Each stalled handshake consumes a goroutine and FD with no timeout and no server-side close.  \n- A malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, then stop responding, leading to denial of service of the entrypoint.  \n- Normal HTTPS handling uses `http.Server` timeouts; this bespoke path bypasses them.\n\n## Conditions for exploitation\n\n- ACME TLS-ALPN challenge enabled (default when configured).  \n- `allowACMEByPass` disabled for the entrypoint (the default when ACME TLS challenge is handled by Traefik).\n\n## CWE\n\n- CWE-400: Uncontrolled Resource Consumption.\n\n## Proposed fix (illustrative)\n\n```\n@@ func (r *Router) acmeTLSALPNHandler() tcp.Handler {\n-    return tcp.HandlerFunc(func(conn tcp.WriteCloser) {\n-        _ = tls.Server(conn, r.httpsTLSConfig).Handshake()\n-    })\n+    return tcp.HandlerFunc(func(conn tcp.WriteCloser) {\n+        // Ensure the handshake cannot block indefinitely and always closes the socket.\n+        _ = conn.SetReadDeadline(time.Now().Add(10 * time.Second))\n+        _ = conn.SetWriteDeadline(time.Now().Add(10 * time.Second))\n+\n+        tlsConn := tls.Server(conn, r.httpsTLSConfig)\n+        _ = tlsConn.Handshake()\n+        _ = tlsConn.Close() // close regardless of handshake outcome\n+    })\n }\n```\n\nAlternatively, route ACME TLS-ALPN through the existing `tcp.TLSHandler`/HTTP server path so the configured timeouts and lifecycle management apply automatically.\n\n## CVSS v3.1 (estimate)\n\n- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  \n- Base score: 7.5 (High)  \n- Rationale: Network-only, no auth/user interaction required; impact is service availability via resource exhaustion; no confidentiality or integrity impact.\n\nPlease let us know if you would like a PoC or further details. We have not made any code changes in this report.\n\nLet us know if you have any questions or need clarification\\!\n\nBest wishes,  \nPavel Kohout  \n Aisle Research  \n\u003c/details\u003e",
  "id": "GHSA-cwjm-3f7h-9hwq",
  "modified": "2026-01-16T15:20:43Z",
  "published": "2026-01-15T22:58:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22045"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik\u0027s ACME TLS-ALPN fast path lacks timeouts and close on handshake stall"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-22045 (GCVE-0-2026-22045)

FKIE_CVE-2026-22045

GHSA-CWJM-3F7H-9HWQ

Impact

Patches

For more information

Tags

Sightings

Nomenclature