KrakenD CE 2.13.6 and EE 2.13.4 update released
by Jorge Tarrero
This patch release of KrakenD Community Edition and Enterprise Edition upgrades Golang components to address several disclosed CVEs. Most of these vulnerabilities do not affect KrakenD and are marked as false-positives.
golang.org/x/net
The x/net CVEs target the HTML parser. KrakenD does not render HTML from user input. The x/net/idna CVE is more broadly relevant as it affects hostname resolution.
golang.org/x/crypto
Almost all x/crypto CVEs target the SSH subsystem. KrakenD does not expose or use SSH as a transport protocol, so direct impact is minimal.
🚀 Summary of changes for EEv2.13.4 (patch)
Recommended security upgrade addressing several vulnerabilities by the Go team
- Upgraded Go components, addressing several CVEs with disclosed descriptions:
- CVE-2026-39821
x/net/idna: privilege escalation — incorrectly accepts ASCII-only Punycode-encoded labels - CVE-2026-42506
html: XSS via incorrect handling of namespaced elements in foreign content (false positive) - CVE-2026-42502
html: XSS via incorrect handling of HTML elements in foreign content (false positive) - CVE-2026-25680
html: DoS via cubic complexity algorithm during HTML tree construction (false positive) - CVE-2026-25681
html: XSS via incorrect handling of character references in DOCTYPE nodes (false positive) - CVE-2026-27136
html: XSS via duplicate attributes causing mis-parsing (false positive) - CVE-2026-46598
ssh/agent: client panic on pathological inputs (malformed ed25519 wire bytes) (false positive) - CVE-2026-46597
ssh: byte arithmetic underflow in AES-GCM packet decoder → server-side panic (false positive) - CVE-2026-39828
ssh: bypass of certificate restrictions via PartialSuccessError with non-nil Permissions (false positive) - CVE-2026-39835
ssh: server panic during CheckHostKey/Authenticate when CertChecker has no authority callbacks (false positive) - CVE-2026-39833
ssh/agent: ConfirmBeforeUse constraint silently not enforced in in-memory keyring (false positive) - CVE-2026-39832
ssh/agent: destination constraints silently dropped when forwarding keys to remote agent (false positive) - CVE-2026-39827
ssh: memory leak via repeatedly rejected channels → server DoS (authenticated client) (false positive) - CVE-2026-39830
ssh: server deadlock via unsolicited global request responses filling internal buffer (false positive) - CVE-2026-39829
ssh: DoS via pathological RSA/DSA key parameters — exploitable pre-authentication (false positive) - CVE-2026-39831
ssh: bypass of FIDO/U2F physical interaction requirement (User Presence flag not checked) (false positive) - CVE-2026-39834
ssh: infinite loop on channel writes >4GB due to integer overflow in payload size (false positive) - CVE-2026-42508
ssh/knownhosts: auth bypass — @revoked status not checked on CA SignatureKey (false positive) - CVE-2026-46595
ssh: VerifiedPublicKeyCallback skips source-address validation when other callback types are used (false positive) - CVE-2026-39824
windows: integer overflow in NewNTUnicodeString returns truncated string instead of error (false positive)
- CVE-2026-39821
Upgrading to the latest version is always advised.
🚀 Summary of changes for CEv2.13.6 (patch)
Recommended security upgrade addressing several vulnerabilities by the Go team
- Upgraded Go components, addressing several CVEs with disclosed descriptions:
- CVE-2026-39821
x/net/idna: privilege escalation — incorrectly accepts ASCII-only Punycode-encoded labels - CVE-2026-42506
html: XSS via incorrect handling of namespaced elements in foreign content (false positive) - CVE-2026-42502
html: XSS via incorrect handling of HTML elements in foreign content (false positive) - CVE-2026-25680
html: DoS via cubic complexity algorithm during HTML tree construction (false positive) - CVE-2026-25681
html: XSS via incorrect handling of character references in DOCTYPE nodes (false positive) - CVE-2026-27136
html: XSS via duplicate attributes causing mis-parsing (false positive) - CVE-2026-46598
ssh/agent: client panic on pathological inputs (malformed ed25519 wire bytes) (false positive) - CVE-2026-46597
ssh: byte arithmetic underflow in AES-GCM packet decoder → server-side panic (false positive) - CVE-2026-39828
ssh: bypass of certificate restrictions via PartialSuccessError with non-nil Permissions (false positive) - CVE-2026-39835
ssh: server panic during CheckHostKey/Authenticate when CertChecker has no authority callbacks (false positive) - CVE-2026-39833
ssh/agent: ConfirmBeforeUse constraint silently not enforced in in-memory keyring (false positive) - CVE-2026-39832
ssh/agent: destination constraints silently dropped when forwarding keys to remote agent (false positive) - CVE-2026-39827
ssh: memory leak via repeatedly rejected channels → server DoS (authenticated client) (false positive) - CVE-2026-39830
ssh: server deadlock via unsolicited global request responses filling internal buffer (false positive) - CVE-2026-39829
ssh: DoS via pathological RSA/DSA key parameters — exploitable pre-authentication (false positive) - CVE-2026-39831
ssh: bypass of FIDO/U2F physical interaction requirement (User Presence flag not checked) (false positive) - CVE-2026-39834
ssh: infinite loop on channel writes >4GB due to integer overflow in payload size (false positive) - CVE-2026-42508
ssh/knownhosts: auth bypass — @revoked status not checked on CA SignatureKey (false positive) - CVE-2026-46595
ssh: VerifiedPublicKeyCallback skips source-address validation when other callback types are used (false positive) - CVE-2026-39824
windows: integer overflow in NewNTUnicodeString returns truncated string instead of error (false positive)
- CVE-2026-39821
Upgrading to the latest version is always advised.
Categories:
Product UpdatesSecurity