Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3.
CVE-2026-48491
This critical-severity CVE scores 10.0 under NVD CVSS v3. EPSS exploit probability: 0.2%, top 84% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 10.0
- EG Score
- 10.0(medium)
- EPSS
- 15.7%
- KEV
- Not listed
Published
June 16, 2026
Last Modified
June 30, 2026
Advisory Details (5)
Auto-updated Jun 30, 20262491923 – (CVE-2026-48491) CVE-2026-48491 Traefik: Traefik: Unauthorized access due to mutual TLS bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2491923SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass · Advisory · traefik/traefik · GitHub
https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66v3.7.3
Patch available: traefik/traefik v3.7.3
https://github.com/traefik/traefik/releases/tag/v3.7.3Vendor Advisories for CVE-2026-48491(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
Go(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| Traefik | — | 3.7.3 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 43× in last 7d / 81× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-07 02:49 UTCEG score recompute
- 2026-07-06 23:09 UTCEG score recompute
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 06:48 UTCEG score recompute
- 2026-07-06 02:51 UTCEG score recompute
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 23:13 UTCEG score recompute
- 2026-07-05 19:35 UTCEG score recompute
- 2026-07-05 15:58 UTCEG score recompute
- 2026-07-05 12:19 UTCEG score recompute
- 2026-07-05 08:42 UTCEG score recompute
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-05 01:47 UTCEG score recompute
- 2026-07-04 22:09 UTCEG score recompute
- 2026-07-04 18:31 UTCEG score recompute
- 2026-07-04 12:46 UTCEG score recompute
- 2026-07-04 09:08 UTCEG score recompute
- 2026-07-04 00:55 UTCEG score recompute
- 2026-07-03 21:04 UTCEG score recompute
- 2026-07-03 17:26 UTCEG score recompute
- 2026-07-03 13:47 UTCEG score recompute
- 2026-07-03 06:45 UTCEG score recompute
- 2026-07-03 02:46 UTCEG score recompute
- 2026-07-02 23:06 UTCEG score recompute
- 2026-07-02 19:28 UTCEG score recompute
Show 56 moreShow fewer
- 2026-07-02 15:51 UTCEG score recompute
- 2026-07-02 12:14 UTCEG score recompute
- 2026-07-02 08:36 UTCEG score recompute
- 2026-07-02 04:55 UTCEG score recompute
- 2026-07-02 01:17 UTCEG score recompute
- 2026-07-01 21:40 UTCEG score recompute
- 2026-07-01 18:01 UTCEG score recompute
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 14:24 UTCEG score recompute
- 2026-07-01 10:47 UTCEG score recompute
- 2026-07-01 07:08 UTCEG score recompute
- 2026-07-01 03:30 UTCEG score recompute
- 2026-06-30 23:53 UTCEG score recompute
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 20:06 UTCEG score recompute
- 2026-06-30 16:28 UTCEG score recompute
- 2026-06-30 12:50 UTCEG score recompute
- 2026-06-30 08:42 UTCEG score recompute
- 2026-06-30 05:02 UTCEG score recompute
- 2026-06-30 01:14 UTCEG score recompute
- 2026-06-29 21:37 UTCEG score recompute
- 2026-06-29 18:00 UTCEG score recompute
- 2026-06-29 14:17 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 10:39 UTCEG score recompute
- 2026-06-29 07:02 UTCEG score recompute
- 2026-06-29 03:22 UTCEG score recompute
- 2026-06-28 23:41 UTCEG score recompute
- 2026-06-28 20:03 UTCEG score recompute
- 2026-06-28 16:26 UTCEG score recompute
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 12:49 UTCEG score recompute
- 2026-06-28 09:11 UTCEG score recompute
- 2026-06-28 05:33 UTCEG score recompute
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 01:55 UTCEG score recompute
- 2026-06-27 22:18 UTCEG score recompute
- 2026-06-27 18:41 UTCEG score recompute
- 2026-06-27 15:04 UTCEG score recompute
- 2026-06-27 11:26 UTCEG score recompute
- 2026-06-27 07:49 UTCEG score recompute
- 2026-06-27 04:11 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-27 00:34 UTCEG score recompute▲ 2.20
- 2026-06-26 17:41 UTCNVD updateCVSS v3 → 10 · severity → CRITICAL
- 2026-06-26 12:31 UTCEG score recompute
- 2026-06-26 00:27 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 12:16 UTCEG score recompute
- 2026-06-25 00:12 UTCEG score recompute
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 12:03 UTCEG score recompute▲ 7.80
- 2026-06-24 12:01 UTCNVD updateCVSS v3 → 7.8 · CVSS v4 → 7.8
- 2026-06-16 19:06 UTCEG score recompute
Frequently asked(5)
What is CVE-2026-48491?
When was CVE-2026-48491 disclosed?
Is CVE-2026-48491 actively exploited?
What is the CVSS score of CVE-2026-48491?
How do I remediate CVE-2026-48491?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48491
Is Your Infrastructure Affected by CVE-2026-48491?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.