CVE-2026-48928

A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS mutual Transport Layer Security setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive informati...

ALPINE-CVE-2026-48928

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

CURL-CVE-2026-8932 incomplete mTLS config matching in conn reuse

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS...

CVE-2026-53622

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection allows unauthenticated clients to bypass router-specific mutual Transport Layer Security mTLS enforcement. When HTTP/3 is enabled and a router use...

PT-2026-51751

Name of the Vulnerable Software and Affected Versions curl versions 7.7 through 8.20.x Description libcurl incorrectly reuses connections from its connection pool when certain mTLS mutual TLS configuration options, specifically those related to the private key, are modified. Because these TLS...

CVE-2026-53622

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake...

CVE-2026-53622 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake...

CVE-2026-48491

Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection SNICheck that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard...

PT-2026-50143

Name of the Vulnerable Software and Affected Versions Traefik versions 3.7.0 through 3.7.2 Description An issue in the SNICheck domain-fronting protection allows an unauthenticated client to bypass mutual TLS mTLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rul...

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing affected by a race condition in Eclipse Jersey (CVE-2025-12383)

Summary A critical race condition CVE-2025-12383 has been identified in the Eclipse Jersey client library jersey-client-2.26.jar used by IBM Engineering Lifecycle Optimization - Engineering Publishing. Under high-concurrency conditions, a flaw in the HTTPS client's lazy initialization flow can...

CVE-2026-44700

Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client active role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in...

stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation

Impact Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and...

CVE-2026-46579

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

CVE-2026-46579 Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl-client headers on http frontend

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

CVE-2026-8855

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication client authentication...

CVE-2026-8855

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication client authentication...

CVE-2026-8855

IBM HTTP Server versions 8.5 and 9.0 are affected by CVE-2026-8855, with remote code execution and denial of service when TLS mutual authentication is configured. The issue is documented by IBM and reflected in NVD with high-severity vectors (NETWORK, no user interaction). The IBM PSIRT bulletin ...

CVE-2026-8855

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication client authentication...

CVE-2026-8855 IBM HTTP Server is affected by multiple vulnerabilities

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication client authentication...

CVE-2026-8855 IBM HTTP Server is affected by multiple vulnerabilities

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication client authentication...