{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22045", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T22:30:38.720Z", "datePublished": "2026-01-15T22:44:05.423Z", "dateUpdated": "2026-01-20T16:29:37.648Z"}, "containers": {"cna": {"title": "Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"}, {"name": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.35", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.35"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.7"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.35", "status": "affected"}, {"version": ">=3.0.0-beta1, < 3.6.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T22:44:05.423Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."}], "source": {"advisory": "GHSA-cwjm-3f7h-9hwq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T16:29:14.971395Z", "id": "CVE-2026-22045", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:29:37.648Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22045", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T16:29:14.971395Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:29:31.728Z"}}], "cna": {"title": "Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall", "source": {"advisory": "GHSA-cwjm-3f7h-9hwq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.35"}, {"status": "affected", "version": ">=3.0.0-beta1, < 3.6.7"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d", "name": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.35", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.35", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.7", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T22:44:05.423Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22045", "state": "PUBLISHED", "dateUpdated": "2026-01-20T16:29:37.648Z", "dateReserved": "2026-01-05T22:30:38.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T22:44:05.423Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7."}], "id": "CVE-2026-22045", "lastModified": "2026-01-16T15:55:12.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-15T23:15:51.593", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v2.11.35"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.6.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion", "id": "2430198", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430198"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in the ACME TLS-ALPN fast path, where unauthenticated clients can exploit it. By initiating numerous connections and sending a minimal ClientHello with \"acme-tls/1\" before ceasing communication, a malicious client can indefinitely tie up system resources such as \"go routines\" (lightweight threads) and file descriptors. This leads to a Denial of Service (DoS) of the entry point, making the service unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-22045", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-01-15T22:44:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22045\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22045\nhttps://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d\nhttps://github.com/traefik/traefik/releases/tag/v2.11.35\nhttps://github.com/traefik/traefik/releases/tag/v3.6.7\nhttps://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq"], "statement": "This vulnerability is rated Moderate for Red Hat. In the Red Hat context, this flaw affects Traefik as deployed in Red Hat OpenShift Dev Spaces. An unauthenticated attacker can exploit the ACME TLS-ALPN fast path to exhaust system resources, leading to a denial of service of the entry point.", "threat_severity": "Moderate"}