News Dropping plugin support in KrakenD Open Source and Lura

Security Advisories

Track CVEs and security advisories that may affect KrakenD. We publish our assessment of each vulnerability, so your team has the information at hand.

Check my version:
CVE IDTitleSeverityStatusAffectsAddressed InDisclosed
CVE-2026-27145crypto/x509: Denial of Service via Quadratic Complexity in Hostname VerificationMediumAdvisoryCE / EECE 2.13.7 / EE 2.13.5Jun 3, 2026
CVE-2026-42504mime: Denial of Service via Quadratic Complexity in MIME Header DecodingMediumAdvisoryCE / EECE 2.13.7 / EE 2.13.5Jun 3, 2026
CVE-2026-42507net/textproto: Log Injection via Unescaped Input in Error MessagesMediumAdvisoryCE / EECE 2.13.7 / EE 2.13.5Jun 3, 2026
CVE-2026-39821x/net/idna: Punycode-Encoded Labels Bypass Hostname Security ChecksCriticalAdvisoryCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-25680html: Denial of Service via Cubic Complexity During Tree ConstructionMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-25681html: XSS via Incorrect Handling of Character References in DOCTYPEMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-27136html: XSS via Duplicate Attributes Causing Mis-parsingMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39824windows: Integer Overflow in NewNTUnicodeStringMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39827ssh: Memory Leak via Repeatedly Rejected Channels Enables Server DoSMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39828ssh: Certificate Restrictions Bypass via PartialSuccessErrorMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39829ssh: Denial of Service via Pathological RSA/DSA Key ParametersMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39830ssh: Server Deadlock via Unsolicited Global Request ResponsesMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39831ssh: FIDO/U2F Physical Interaction Requirement BypassMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39832ssh/agent: Destination Constraints Dropped When Forwarding KeysMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39833ssh/agent: ConfirmBeforeUse Constraint Silently Not EnforcedMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39834ssh: Infinite Loop on Channel Writes Due to Integer OverflowMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39835ssh: Server Panic When CertChecker Has No Authority CallbacksMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-42502html: XSS via HTML Elements in Foreign ContentMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-42506html: XSS via Namespaced Elements in Foreign ContentMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-42508ssh/knownhosts: @revoked Status Not Checked on CA SignatureKeyMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-46595ssh: VerifiedPublicKeyCallback Skips Source-Address ValidationMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-46597ssh: Byte Arithmetic Underflow in AES-GCM Packet DecoderMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-46598ssh/agent: Client Panic on Malformed ed25519 Wire BytesMedium False PositiveCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-32952auth/ntlm: Process Crash via Malicious NTLM Challenge MessageHighAdvisoryEE onlyEE 2.13.3May 11, 2026
CVE-2026-33811net: Application Crash via Long CNAME DNS ResponseHighAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-33814net/http: Infinite Loop in HTTP/2 Transport via Zero SETTINGS_MAX_FRAME_SIZEHighAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42151Prometheus: Azure AD OAuth Client Secret Exposed in PlaintextHigh False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42154Prometheus: Memory Exhaustion via Crafted Remote Read RequestHigh False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39817cmd/go: go tool pack Does Not Sanitize Output PathsMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39819cmd/go: go bug Follows Symlinks in Predictable Temporary FilenamesMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39820net/mail: Quadratic String Concatenation in consumeCommentMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39823html/template: Meta Content URL Escaping Bypass Causes XSSMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39825net/http/httputil: ReverseProxy Forwards Hidden Query ParametersMediumAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39826html/template: Escaper Bypass Leads to Cross-Site ScriptingMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39836net: Panic in Dial and LookupPort on Windows via NUL ByteMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39882telemetry/opentelemetry: OTLP HTTP Exporter Reads Unbounded Response BodyMediumAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-40179Prometheus: Stored XSS in Web UI via Metric Names and Label ValuesMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42499net/mail: Quadratic String Concatenation in consumePhraseMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42501cmd/go: Malicious Module Proxy Can Bypass Checksum DatabaseMedium False PositiveCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-27143cmd/compile: Memory Corruption After Bound Check EliminationHigh False PositiveCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32283crypto/tls: TLS Connection Deadlock via Key Update FloodHighAdvisoryCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-34986auth/validator: Go JOSE Panic via Empty Encrypted Key in JWE Key WrappingHigh False PositiveCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-27140cmd/go: Trust Layer Bypass with cgo and SWIGMedium False PositiveCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-27144cmd/compile: No-op Interface Conversion Bypasses Overlap CheckingMedium False PositiveCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32280crypto/x509: Unexpected Work During Certificate Chain BuildingMediumAdvisoryCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32281crypto/x509: Inefficient Policy ValidationMediumAdvisoryCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32282os: Root.Chmod Follows Symlinks Outside Root on LinuxMedium False PositiveCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32288archive/tar: Unbounded Memory Allocation in GNU Sparse Map ParsingMedium False PositiveCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32289html/template: JS Template Literal Context Incorrectly TrackedMedium False PositiveCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-33186grpc: Authorization Bypass via Custom Interceptors or Per-RPC PluginsHigh False PositiveCE / EECE 2.13.3 / EE 2.13.1Mar 19, 2026
CVE-2026-24051telemetry/opentelemetry: Arbitrary Code Execution via Untrusted PATH on macOSHighAdvisoryCE / EECE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-25679net/url: IPv6 Literal Validation BypassMediumAdvisoryCE / EECE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-27139os: FileInfo Can Escape from a RootMediumAdvisoryCE / EECE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-27142html/template: URLs in Meta Content Attribute Not EscapedMedium False PositiveCE / EECE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-3206backend/circuit-breaker: Uncontrolled Context Cancellation Causes Cascading Request FailuresMediumAdvisoryCE / EECE 2.13.1 / EE 2.12.5Feb 18, 2026
CVE-2025-61732cmd/cgo: Code Smuggling into cgo Binary via Comment ParsingMedium False PositiveCE / EECE 2.13.0 / EE 2.12.4Feb 10, 2026
CVE-2025-68121crypto/tls: TLS Session Key Mismanagement in Config.Clone and GetConfigForClientMediumAdvisoryCE / EECE 2.13.0 / EE 2.12.4Feb 10, 2026
CVE-2025-61731cmd/go: CgoPkgConfig Flag Bypass Leads to Arbitrary Code ExecutionHigh False PositiveCE / EECE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-68119cmd/go: VCS Toolchain Misinterpretation Enables Code ExecutionHigh False PositiveCE / EECE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-61726net/http: Memory Exhaustion from Excessive Form Key-Value PairsMediumAdvisoryCE / EECE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-61728archive/zip: Super-linear Filename Indexing Causes DoS on Malicious ZIPsMedium False PositiveCE / EECE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-61727crypto/x509: Subdomain Exclusion Constraint Does Not Restrict Wildcard SANsMediumAdvisoryCE / EECE 2.12.1 / EE 2.12.2Dec 4, 2025
CVE-2025-61729crypto/x509: Quadratic Runtime in HostnameError.Error via Malicious CertificateMediumAdvisoryCE / EECE 2.12.1 / EE 2.12.2Dec 4, 2025
CVE-2025-47914x/crypto/ssh/agent: Panic via Malformed Identity Request MessageMedium False PositiveCE / EECE 2.12.1 / EE 2.12.1Nov 21, 2025
CVE-2025-58181x/crypto/ssh: Memory Exhaustion via Unbounded GSSAPI Mechanism CountMedium False PositiveCE / EECE 2.12.1 / EE 2.12.1Nov 21, 2025
CVE-2025-58187crypto/x509: Name Constraint Validation Denial of Service via Quadratic ComplexityHighAdvisoryCE / EECE 2.11.1 / EE 2.11.2Oct 8, 2025
CVE-2025-58188crypto/x509: Panic on Certificate Validation with DSA Public KeysHighAdvisoryCE / EECE 2.11.1 / EE 2.11.2Oct 8, 2025
CVE-2025-61723encoding/pem: Denial of Service via Quadratic Complexity on Invalid PEM InputHighAdvisoryCE / EECE 2.11.1 / EE 2.11.2Oct 8, 2025
CVE-2025-58185encoding/asn1: Memory Exhaustion via Malicious DER PayloadMediumAdvisoryCE / EECE 2.11.1 / EE 2.11.2Oct 8, 2025
CVE-2025-58186net/http: Memory Exhaustion via Unbounded Cookie ParsingMediumAdvisoryCE / EECE 2.11.1 / EE 2.11.2Oct 8, 2025
CVE-2025-58189crypto/tls: Attacker-Controlled Text in ALPN Negotiation ErrorMediumAdvisoryCE / EECE 2.11.1 / EE 2.11.2Oct 8, 2025
CVE-2025-61724net/textproto: CPU Exhaustion via Excessive HTTP Response LinesMediumAdvisoryCE / EECE 2.11.1 / EE 2.11.2Oct 8, 2025
CVE-2025-4674cmd/go: Unexpected Command Execution via Untrusted VCS Repository MetadataHigh False PositiveCE / EECE 2.10.2 / EE 2.10.3Jul 9, 2025
CVE-2025-22868go-jose: Memory Exhaustion via Malformed Token ParsingHigh False PositiveCE / EECE 2.10.1 / EE 2.10.1Jun 19, 2025
CVE-2025-22874crypto/x509: Certificate Policy Validation Bypass via ExtKeyUsageAnyHighAdvisoryCE / EECE 2.10.1 / EE 2.10.1Jun 19, 2025
CVE-2025-4673net/http: Proxy Header Leak on Cross-Origin RedirectsMediumAdvisoryCE / EECE 2.10.1 / EE 2.10.1Jun 19, 2025
Read our Security Policy to learn how KrakenD handles vulnerability disclosure and reporting. KrakenD is a CVE Numbering Authority (CNA).

Stay up to date with KrakenD releases and important updates