Upstream information

CVE-2026-53622 at MITRE

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration - which may not require client certificates - a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v3 Scores
CVSS detail CNA (0b0ca135-0b70-47e7-9f44-1890c2a1c46c) National Vulnerability Database
Base Score 9.1 10
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction None None
Scope Unchanged Changed
Confidentiality Impact High High
Integrity Impact High High
Availability Impact None None
CVSSv3 Version 3.1 3.1
CVSS v4 Scores
CVSS detail CNA (GitHub)
Base Score 7.8
Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User Interaction None
Vulnerable System Confidentiality Impact None
Vulnerable System Integrity Impact None
Vulnerable System Availability Impact None
Subsequent System Confidentiality Impact High
Subsequent System Integrity Impact High
Subsequent System Availability Impact None
CVSSv4 Version 4.0
SUSE Bugzilla entry: 1269067 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • traefik >= 3.7.5-1.1
Patchnames:
openSUSE-Tumbleweed-2026-11047


SUSE Timeline for this CVE

CVE page created: Wed Jun 17 00:00:30 2026
CVE page last modified: Tue Jun 30 13:08:07 2026