CVE-2026-25949
Published: 12 February 2026
Summary
CVE-2026-25949 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Traefik Traefik. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-25949 is a denial-of-service vulnerability in Traefik, an open-source HTTP reverse proxy and load balancer, affecting versions prior to 3.6.8. The issue stems from improper handling of STARTTLS requests, specifically the 8-byte Postgres SSLRequest prelude. By sending this prelude and then stalling, an attacker can bypass the entrypoint's respondingTimeouts.readTimeout configuration, causing connections to remain open indefinitely and potentially exhausting server resources. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).
Any unauthenticated attacker with network access to a vulnerable Traefik instance can exploit this flaw remotely with low complexity and no user interaction required. Exploitation involves initiating a TCP connection to the Traefik entrypoint, transmitting the Postgres SSLRequest bytes, and then pausing further communication, which prevents the timeout from triggering. Successful attacks can lead to resource exhaustion through accumulation of stalled connections, resulting in denial of service for legitimate traffic.
Traefik addressed this vulnerability in version 3.6.8, as detailed in the project's security advisory (GHSA-89p3-4642-cr2w), release notes, and the fixing commit (31e566e9f1d7888ccb6fbc18bfed427203c35678). Security practitioners should upgrade to Traefik 3.6.8 or later to mitigate the issue, and review entrypoint timeout configurations for additional protection against similar resource exhaustion vectors.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6207
Vulnerability details
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then…
more
stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote, unauthenticated logic flaw in Traefik's STARTTLS/SSLRequest handling that directly enables an adversary to stall connections, bypass configured timeouts, and accumulate resource exhaustion, matching the definition of Application or System Exploitation for denial-of-service impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in Traefik's STARTTLS handling via patching to version 3.6.8 or later.
Provides denial-of-service protection through mechanisms like connection rate limiting and traffic filtering to prevent resource exhaustion from stalled connections.
Ensures resource availability by enforcing limits on system resources such as maximum concurrent connections, countering uncontrolled consumption from indefinite open sessions.