CVE-2026-31361: Traefik ACME Private Key Exposure via Logs
GetPrivateKey() in Traefik's ACME path logs the entire DER-encoded private key as decimal bytes when parsing fails. A 5-year regression of a partial v1.7.20 fix that was never ported to v2.x or v3.x.
Summary
When the ACME private key fails to parse, GetPrivateKey() (account.go:60-61) logs the entire DER-encoded key as a slice of decimal bytes via the %+v format string:
Cannot unmarshal private key [48 130 9 ...]The key material flows to stdout, log files, and any connected log aggregator (Splunk, ELK, CloudWatch, Datadog).
Why it matters
This converts narrow file-storage access (acme.json, 0600 permissions, single host) into broad exposure across logging infrastructure that ops teams routinely access and that retains data for years.
History
A partial fix existed in v1.7.20 (truncating to 16 bytes) but was never ported forward to v2.x or v3.x. Five years of regression.
Discovery
Code review of Traefik’s ACME certificate-storage error-handling paths.
Status
Patched. CVE assigned by MITRE.