Cyber Posture

CVE-2026-25949

High

Published: 12 February 2026

Published
12 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25949 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Traefik Traefik. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-10 Concurrent Session Control
addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

AU-6 Audit Record Review, Analysis, and Reporting
addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

CP-4 Contingency Plan Testing
addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

CP-5 Contingency Plan Update
addresses: CWE-400

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

CP-7 Alternate Processing Site
addresses: CWE-400

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

CP-8 Telecommunications Services
addresses: CWE-400

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

IR-10 Integrated Information Security Analysis Team
addresses: CWE-400

The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.

MA-6 Timely Maintenance
addresses: CWE-400

Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The CVE describes a remote, unauthenticated logic flaw in Traefik's STARTTLS/SSLRequest handling that directly enables an adversary to stall connections, bypass configured timeouts, and accumulate resource exhaustion, matching the definition of Application or System Exploitation for denial-of-service impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then…

more

stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

Deeper analysisAI

CVE-2026-25949 is a denial-of-service vulnerability in Traefik, an open-source HTTP reverse proxy and load balancer, affecting versions prior to 3.6.8. The issue stems from improper handling of STARTTLS requests, specifically the 8-byte Postgres SSLRequest prelude. By sending this prelude and then stalling, an attacker can bypass the entrypoint's respondingTimeouts.readTimeout configuration, causing connections to remain open indefinitely and potentially exhausting server resources. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).

Any unauthenticated attacker with network access to a vulnerable Traefik instance can exploit this flaw remotely with low complexity and no user interaction required. Exploitation involves initiating a TCP connection to the Traefik entrypoint, transmitting the Postgres SSLRequest bytes, and then pausing further communication, which prevents the timeout from triggering. Successful attacks can lead to resource exhaustion through accumulation of stalled connections, resulting in denial of service for legitimate traffic.

Traefik addressed this vulnerability in version 3.6.8, as detailed in the project's security advisory (GHSA-89p3-4642-cr2w), release notes, and the fixing commit (31e566e9f1d7888ccb6fbc18bfed427203c35678). Security practitioners should upgrade to Traefik 3.6.8 or later to mitigate the issue, and review entrypoint timeout configurations for additional protection against similar resource exhaustion vectors.

Details

CWE(s)
CWE-400

Affected Products

traefik
traefik
≤ 3.6.8

CVEs Like This One

CVE-2026-26999Same product: Traefik Traefik
CVE-2026-22045Same product: Traefik Traefik
CVE-2026-40912Same product: Traefik Traefik
CVE-2025-54386Same product: Traefik Traefik
CVE-2026-29054Same product: Traefik Traefik
CVE-2026-33433Same product: Traefik Traefik
CVE-2026-39858Same product: Traefik Traefik
CVE-2026-32695Same product: Traefik Traefik
CVE-2026-35051Same product: Traefik Traefik
CVE-2025-9464Shared CWE-400

References