CVE-2026-31360: Traefik SPIFFE Trust Domain Bypass
Traefik's verifyServerCertMatchesURI overwrites the expected SPIFFE URI's host with the certificate's actual host before comparison, defeating trust-domain validation.
Summary
Traefik’s verifyServerCertMatchesURI overwrites the expected SPIFFE URI’s host with the certificate’s actual host before comparison, defeating trust-domain validation entirely. Any valid certificate from a shared CA pool passes validation regardless of which trust domain issued it.
Secondary finding
While verifying impact in real deployments, I also discovered that Consul Connect was generating SPIFFE URIs without trust domains. That makes trust-domain isolation non-functional for the entire Consul Connect user base, independently of the Traefik bug.
Discovery
Code review of Traefik’s mTLS implementation and SPIFFE URI parsing. The relevant function constructs the comparison target by mutating the expected URI in place.
Impact
- CVSS: 8.2 (High)
- Cross-trust-domain service impersonation in zero-trust architectures using SPIRE or Consul Connect.
Status
Patched. CVE assigned by MITRE.