CVE-2026-48491 Overview
CVE-2026-48491 is an authentication bypass vulnerability in Traefik, an HTTP reverse proxy and load balancer. The flaw exists in the SNICheck domain-fronting protection between versions 3.7.0 and 3.7.3. SNICheck resolves TLS options for the HTTP Host header using exact map lookups and never applies wildcard matching. An unauthenticated remote attacker can bypass mutual TLS (mTLS) enforced through wildcard router TLSOptions by completing a TLS handshake against a permissive SNI on the same entrypoint, then sending an HTTP Host header targeting a wildcard-protected backend. The issue is tracked as [CWE-288] Authentication Bypass Using an Alternate Path.
Critical Impact
Attackers reach mTLS-protected backends without presenting a client certificate over standard HTTPS / HTTP/2 paths.
Affected Products
- Traefik 3.7.0 through 3.7.2
- Deployments using wildcard host rules such as Host(*.example.com) with stricter TLS options like RequireAndVerifyClientCert
- Entrypoints serving both wildcard-protected routers and a permissive SNI
Discovery Timeline
- 2026-06-23 - CVE-2026-48491 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-48491
Vulnerability Analysis
The vulnerability resides in Traefik's SNICheck logic, which is intended to prevent domain-fronting attacks by validating that the TLS Server Name Indication (SNI) matches the HTTP Host header policy. When a router uses a wildcard host rule combined with stricter TLS options, SNICheck performs only an exact map lookup against the Host header value. Wildcard matching is never applied during this resolution step. The result is that the stricter TLS options attached to the wildcard router are silently ignored at request-routing time.
If the same entrypoint also serves a permissive SNI without client certificate requirements, an attacker completes the TLS handshake under the permissive policy. The attacker then submits an HTTP Host header pointing at the wildcard-protected backend. Traefik forwards the request because no wildcard-aware comparison enforces the stricter RequireAndVerifyClientCert policy.
Root Cause
The root cause is missing wildcard matching during TLS option resolution. SNICheck uses an exact-match map keyed by literal hostnames, which fails to associate requests for api.example.com with the wildcard router Host(*.example.com). Stricter TLS options remain registered against the wildcard entry only, never enforced for individual hostnames covered by the wildcard.
Attack Vector
The attack is performed remotely over the network with no privileges or user interaction. An attacker negotiates TLS using any permissive SNI exposed on the target entrypoint, then crafts an HTTP/1.1 or HTTP/2 request carrying a Host header matching the wildcard-protected backend. The bypass affects standard HTTPS and HTTP/2 traffic and does not require HTTP/3. For full technical details, refer to the GitHub Security Advisory GHSA-5r4w-85f3-pw66.
Detection Methods for CVE-2026-48491
Indicators of Compromise
- Requests where the TLS SNI value differs from the HTTP Host header, particularly when the Host header targets a wildcard-protected domain.
- Access log entries for mTLS-protected backends with no associated client certificate fingerprint.
- Traefik instances running versions 3.7.0 through 3.7.2 with wildcard host rules and RequireAndVerifyClientCert configured.
Detection Strategies
- Parse Traefik access logs and correlate the negotiated SNI with the served Host header to flag mismatches.
- Audit dynamic configuration for routers using wildcard Host(*.domain) rules paired with TLSOptions enforcing client certificate verification.
- Inspect entrypoints that simultaneously expose permissive TLS options and wildcard-protected routers.
Monitoring Recommendations
- Forward Traefik access and TLS handshake logs to a centralized log analytics platform for correlation.
- Alert on backend requests to mTLS-protected services that lack a client certificate subject or serial in request metadata.
- Track anomalous traffic patterns where a single TLS session services multiple distinct Host header values.
How to Mitigate CVE-2026-48491
Immediate Actions Required
- Upgrade Traefik to version 3.7.3 or later, where SNICheck applies wildcard matching during TLS option resolution.
- Inventory all routers using wildcard host rules with stricter TLSOptions and verify enforcement after upgrade.
- Restrict permissive SNIs and mTLS-protected routers to separate entrypoints where feasible.
Patch Information
Traefik 3.7.3 fixes the vulnerability by updating SNICheck to perform wildcard-aware lookups when resolving TLS options for the HTTP Host header. Patch details and binaries are available in the GitHub Traefik Release Notes.
Workarounds
- Replace wildcard host rules with explicit per-host routers carrying the stricter TLSOptions until the upgrade is applied.
- Isolate mTLS-protected backends on dedicated entrypoints that do not serve any permissive SNI.
- Enforce client certificate validation at the backend application layer as a defense-in-depth control.
# Upgrade Traefik container to the patched release
docker pull traefik:3.7.3
docker stop traefik && docker rm traefik
docker run -d --name traefik \
-p 443:443 \
-v /etc/traefik:/etc/traefik \
traefik:3.7.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

