{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25949", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.065Z", "datePublished": "2026-02-12T20:01:19.600Z", "dateUpdated": "2026-02-12T21:16:17.659Z"}, "containers": {"cna": {"title": "Traefik: TCP readTimeout bypass via STARTTLS on Postgres", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"}, {"name": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.8"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 3.6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T20:01:19.600Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."}], "source": {"advisory": "GHSA-89p3-4642-cr2w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T20:47:57.313606Z", "id": "CVE-2026-25949", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:16:17.659Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T20:47:57.313606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:15:53.389Z"}}], "cna": {"title": "Traefik: TCP readTimeout bypass via STARTTLS on Postgres", "source": {"advisory": "GHSA-89p3-4642-cr2w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 3.6.8"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678", "name": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.8", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T20:01:19.600Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25949", "state": "PUBLISHED", "dateUpdated": "2026-02-12T21:16:17.659Z", "dateReserved": "2026-02-09T17:13:54.065Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T20:01:19.600Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "05ADF4F6-5356-4E37-9CBB-0C5058E249D5", "versionEndExcluding": "3.6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Antes de la versi\u00f3n 3.6.8, existe una posible vulnerabilidad en Traefik al gestionar solicitudes STARTTLS. Un cliente no autenticado puede eludir el respondingTimeouts.readTimeout del punto de entrada de Traefik enviando el pre\u00e1mbulo de 8 bytes de Postgres SSLRequest (STARTTLS) y luego estanc\u00e1ndose, lo que provoca que las conexiones permanezcan abiertas indefinidamente, lo que lleva a una denegaci\u00f3n de servicio. Esta vulnerabilidad se corrige en la versi\u00f3n 3.6.8."}], "id": "CVE-2026-25949", "lastModified": "2026-02-20T18:44:41.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T20:16:11.227", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.8"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/traefik/traefik: Traefik: Denial of Service via stalled STARTTLS requests", "id": "2439522", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439522"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["No description is available for this CVE."], "name": "CVE-2026-25949", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-02-12T20:01:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25949\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25949\nhttps://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678\nhttps://github.com/traefik/traefik/releases/tag/v3.6.8\nhttps://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"], "statement": "This is an IMPORTANT denial of service flaw in Traefik, an HTTP reverse proxy and load balancer, affecting Red Hat OpenShift Dev Spaces. An unauthenticated client can exploit this by sending a specific STARTTLS request and then stalling, which bypasses configured read timeouts and causes connections to remain open indefinitely, leading to resource exhaustion.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.8)"}}], "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-04-17T19:59:35.103197+00:00", "value": {"mitigation_remediation": ["Upgrade Traefik to version 3.6.8 or later. ", "If upgrading is not immediately possible, block or restrict access to the TCP entrypoint for PostgreSQL clients, for example by firewall rules or by controlling ingress traffic. ", "Deploy additional connection\u2011limit or idle\u2011timeout controls on downstream services to mitigate the impact if a stale connection persists."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Traefik instances running any version prior to 3.6.8 on any supported platform are vulnerable. The issue resides in the handling of STARTTLS requests in the TCP proxy layer.", "description_and_impact": "An attacker who can establish an unauthenticated TCP connection to a Traefik entrypoint may send a PostgreSQL STARTTLS prelude and then stop responding. Traefik\u2019s readTimeout configured on that entrypoint is bypassed, so the connection stays open indefinitely, consuming server resources until the system is overwhelmed or services become unavailable.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high denial\u2011of\u2011service risk. The EPSS score is under 1%, suggesting exploitation is unlikely at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker only needs network access to the affected TCP port and can exploit the flaw with a simple STARTTLS packet, without authentication or privileged credentials. The weakness involves uncontrolled resource consumption (CWE\u2011400) and potential memory allocation over\u2011commitment (CWE\u2011770)."}}}}, "created": "2026-02-13T21:29:27.479636+00:00", "updated": "2026-04-17T20:00:09.043066+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}