CVE-2026-22045

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.

Vulnerability Details

Published Date

January 15, 2026

Last Modified

January 23, 2026

CWE ID

CWE-770

Source

NVD

Vendor

traefik

Product

traefik

External References

https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d
https://github.com/traefik/traefik/releases/tag/v2.11.35
https://github.com/traefik/traefik/releases/tag/v3.6.7
https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq

CVE-2026-22045

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment