{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22045", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T22:30:38.720Z", "datePublished": "2026-01-15T22:44:05.423Z", "dateUpdated": "2026-01-20T16:29:37.648Z"}, "containers": {"cna": {"title": "Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"}, {"name": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.35", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.35"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.7"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.35", "status": "affected"}, {"version": ">=3.0.0-beta1, < 3.6.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T22:44:05.423Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."}], "source": {"advisory": "GHSA-cwjm-3f7h-9hwq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T16:29:14.971395Z", "id": "CVE-2026-22045", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:29:37.648Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22045", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T16:29:14.971395Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:29:31.728Z"}}], "cna": {"title": "Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall", "source": {"advisory": "GHSA-cwjm-3f7h-9hwq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.35"}, {"status": "affected", "version": ">=3.0.0-beta1, < 3.6.7"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d", "name": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.35", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.35", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.7", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T22:44:05.423Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22045", "state": "PUBLISHED", "dateUpdated": "2026-01-20T16:29:37.648Z", "dateReserved": "2026-01-05T22:30:38.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T22:44:05.423Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "84C034EA-1F19-462D-9472-68F1CAA93115", "versionEndExcluding": "2.11.35", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "44AA42E3-588B-4741-B128-74C761D1B5FA", "versionEndExcluding": "3.6.7", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."}], "id": "CVE-2026-22045", "lastModified": "2026-01-23T19:29:05.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-15T23:15:51.593", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.35"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.7"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion", "id": "2430198", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430198"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in the ACME TLS-ALPN fast path, where unauthenticated clients can exploit it. By initiating numerous connections and sending a minimal ClientHello with \"acme-tls/1\" before ceasing communication, a malicious client can indefinitely tie up system resources such as \"go routines\" (lightweight threads) and file descriptors. This leads to a Denial of Service (DoS) of the entry point, making the service unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-22045", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-01-15T22:44:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22045\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22045\nhttps://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d\nhttps://github.com/traefik/traefik/releases/tag/v2.11.35\nhttps://github.com/traefik/traefik/releases/tag/v3.6.7\nhttps://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"], "statement": "This vulnerability is rated Moderate for Red Hat. In the Red Hat context, this flaw affects Traefik as deployed in Red Hat OpenShift Dev Spaces. An unauthenticated attacker can exploit the ACME TLS-ALPN fast path to exhaust system resources, leading to a denial of service of the entry point.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T05:54:12.166300+00:00", "value": {"mitigation_remediation": ["Update Traefik to at least v2.11.35 or v3.6.7", "If the ACME TLS challenge is not required, disable ACME TLS\u2011ALPN fast path in the configuration", "Implement monitoring or rate limiting on entry points to detect abnormal connection spikes"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected installations include Traefik deployments running version 2.10.x through 2.11.34 and 3.4.x through 3.6.6. The vulnerability is present in all 2.x and 3.x releases before the updates to 2.11.35 and 3.6.7 respectively. Administrators using the ACME TLS challenge feature on their load balancer entry points are at risk.", "description_and_impact": "Traefik's ACME TLS-ALPN fast path is a resource\u2011exhaustion vulnerability that allows an unauthenticated client to bind goroutines and file descriptors indefinitely. The attacker can send a minimal ClientHello specifying acme\u2011tls/1 and then stop responding, causing the entry point to become saturated by long\u2011lived connections. This leads to a denial\u2011of\u2011service of the affected entry point as normal traffic cannot be served. The weakness maps to CWE\u2011770.", "risk_and_exploitability": "The CVSS base score of 5.9 indicates a moderate severity, and the EPSS probability of fewer than 1% suggests that exploitation is unlikely in the current landscape. The flaw is not listed in CISA's KEV catalog. The attack surface is limited to clients that can initiate TLS handshakes on the entry point, thus the immediate risk is low but the potential for service disruption is real. Updating to the patched releases removes the vulnerability entirely."}}}}, "created": "2026-01-16T13:42:25.602866+00:00", "updated": "2026-04-18T06:00:08.498797+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}