CVE-2026-22045 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2026-22045?

CVE-2026-22045 has a CVSS score of 5.9 (MEDIUM). This vulnerability allows unauthenticated attackers to cause denial of service in Traefik reverse proxy by exploiting the ACME TLS-ALPN challenge mechanism. Attackers can open numerous connections and leave them hanging, consuming server resources indefinitely. This affects all Traefik deployments with ACME TLS challenge enabled prior to versions 2.11.35 and 3.6.7.

📋 TL;DR

This vulnerability allows unauthenticated attackers to cause denial of service in Traefik reverse proxy by exploiting the ACME TLS-ALPN challenge mechanism. Attackers can open numerous connections and leave them hanging, consuming server resources indefinitely. This affects all Traefik deployments with ACME TLS challenge enabled prior to versions 2.11.35 and 3.6.7.

💻 Affected Systems

Products:

Traefik

Versions: All versions prior to 2.11.35 and 3.6.7

Operating Systems: All platforms running Traefik

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when ACME TLS challenge is enabled. HTTP-01 and DNS-01 challenges are not affected.

📦 What is this software?

Traefik by Traefik

View all CVEs affecting Traefik →

Traefik by Traefik

View all CVEs affecting Traefik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for the affected entry point, making services behind Traefik unreachable until resource exhaustion is resolved.

🟠

Likely Case

Degraded performance and intermittent service disruptions as go routines and file descriptors are consumed.

🟢

If Mitigated

Minimal impact if ACME TLS challenge is disabled or if connections are rate-limited.

🌐 Internet-Facing: HIGH - Internet-facing Traefik instances with ACME enabled are directly exposed to unauthenticated attacks.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require attacker access to internal network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires minimal technical skill - just opening connections with specific ClientHello and not responding.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.35 or 3.6.7

Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Traefik service. 3. Update to Traefik 2.11.35 or 3.6.7. 4. Restart Traefik service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable ACME TLS-ALPN challenge

all

Switch to HTTP-01 or DNS-01 challenge methods instead of TLS-ALPN

# In Traefik configuration, set:
# [certificatesResolvers.myresolver.acme]
# tlsChallenge = false
# httpChallenge = true

Rate limit connections

linux

Implement connection rate limiting at network or application level

# Using iptables example:
# iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 100 -j DROP

🧯 If You Can't Patch

Disable ACME TLS challenge entirely and use alternative certificate management
Implement strict network ACLs to limit who can connect to Traefik entry points

🔍 How to Verify

Check if Vulnerable:

Check Traefik version and ACME configuration. If version < 2.11.35 or < 3.6.7 AND tlsChallenge is enabled, system is vulnerable.

Check Version:

traefik version

Verify Fix Applied:

Confirm Traefik version is 2.11.35 or higher (v2) or 3.6.7 or higher (v3) and monitor for connection exhaustion.

📡 Detection & Monitoring

Log Indicators:

Unusually high number of TLS handshake timeouts
ACME TLS-ALPN challenge failures
Resource exhaustion warnings

Network Indicators:

Multiple connections on port 443 with incomplete TLS handshakes
Sustained connections with minimal ClientHello data

SIEM Query:

source="traefik" AND ("tls-alpn" OR "acme") AND ("timeout" OR "failed" OR "exhausted")

📊 Metadata

CVE ID: CVE-2026-22045

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.02% exploit probability (3.4th percentile)

Published: January 15, 2026

Last Updated: January 23, 2026

🔗 References

https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d Patch
https://github.com/traefik/traefik/releases/tag/v2.11.35 Release Notes
https://github.com/traefik/traefik/releases/tag/v3.6.7 Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22045, you might also want to check these: