CVE-2026-25949

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678	Patch
https://github.com/traefik/traefik/releases/tag/v3.6.8	Product Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-12 20:16

Updated : 2026-02-20 18:44

NVD link : CVE-2026-25949

Mitre link : CVE-2026-25949

CVE.ORG link : CVE-2026-25949

JSON object : View

Products Affected

traefik

traefik

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2026-25949", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-12T20:16:11.227", "references": [{"url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.8", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Antes de la versi\u00f3n 3.6.8, existe una posible vulnerabilidad en Traefik al gestionar solicitudes STARTTLS. Un cliente no autenticado puede eludir el respondingTimeouts.readTimeout del punto de entrada de Traefik enviando el pre\u00e1mbulo de 8 bytes de Postgres SSLRequest (STARTTLS) y luego estanc\u00e1ndose, lo que provoca que las conexiones permanezcan abiertas indefinidamente, lo que lleva a una denegaci\u00f3n de servicio. Esta vulnerabilidad se corrige en la versi\u00f3n 3.6.8."}], "lastModified": "2026-02-20T18:44:41.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05ADF4F6-5356-4E37-9CBB-0C5058E249D5", "versionEndExcluding": "3.6.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}