News KrakenD Partners with Digital Platform Solutions to Expand Reach in Pakistan

Security Advisories

Track CVEs and security advisories that may affect KrakenD. We publish our assessment of each vulnerability, so your team has the information at hand.

Check my version:
CVE IDTitleSeverityStatusAffectsAddressed InDisclosed
CVE-2026-39821x/net/idna: Punycode-Encoded Labels Bypass Hostname Security ChecksCriticalAdvisoryCE / EECE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-25680html: Denial of Service via Cubic Complexity During Tree ConstructionMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-25681html: XSS via Incorrect Handling of Character References in DOCTYPEMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-27136html: XSS via Duplicate Attributes Causing Mis-parsingMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39824windows: Integer Overflow in NewNTUnicodeStringMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39827ssh: Memory Leak via Repeatedly Rejected Channels Enables Server DoSMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39828ssh: Certificate Restrictions Bypass via PartialSuccessErrorMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39829ssh: Denial of Service via Pathological RSA/DSA Key ParametersMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39830ssh: Server Deadlock via Unsolicited Global Request ResponsesMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39831ssh: FIDO/U2F Physical Interaction Requirement BypassMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39832ssh/agent: Destination Constraints Dropped When Forwarding KeysMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39833ssh/agent: ConfirmBeforeUse Constraint Silently Not EnforcedMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39834ssh: Infinite Loop on Channel Writes Due to Integer OverflowMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-39835ssh: Server Panic When CertChecker Has No Authority CallbacksMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-42502html: XSS via HTML Elements in Foreign ContentMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-42506html: XSS via Namespaced Elements in Foreign ContentMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-42508ssh/knownhosts: @revoked Status Not Checked on CA SignatureKeyMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-46595ssh: VerifiedPublicKeyCallback Skips Source-Address ValidationMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-46597ssh: Byte Arithmetic Underflow in AES-GCM Packet DecoderMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-46598ssh/agent: Client Panic on Malformed ed25519 Wire BytesMedium False PositiveNoneCE 2.13.6 / EE 2.13.4May 26, 2026
CVE-2026-32952auth/ntlm: Process Crash via Malicious NTLM Challenge MessageHighAdvisoryEE onlyEE 2.13.3May 11, 2026
CVE-2026-33811net: Application Crash via Long CNAME DNS ResponseHighAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-33814net/http: Infinite Loop in HTTP/2 Transport via Zero SETTINGS_MAX_FRAME_SIZEHighAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42151Prometheus: Azure AD OAuth Client Secret Exposed in PlaintextHigh False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42154Prometheus: Memory Exhaustion via Crafted Remote Read RequestHigh False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39817cmd/go: go tool pack Does Not Sanitize Output PathsMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39819cmd/go: go bug Follows Symlinks in Predictable Temporary FilenamesMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39820net/mail: Quadratic String Concatenation in consumeCommentMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39823html/template: Meta Content URL Escaping Bypass Causes XSSMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39825net/http/httputil: ReverseProxy Forwards Hidden Query ParametersMediumAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39826html/template: Escaper Bypass Leads to Cross-Site ScriptingMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39836net: Panic in Dial and LookupPort on Windows via NUL ByteMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-39882telemetry/opentelemetry: OTLP HTTP Exporter Reads Unbounded Response BodyMediumAdvisoryCE / EECE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-40179Prometheus: Stored XSS in Web UI via Metric Names and Label ValuesMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42499net/mail: Quadratic String Concatenation in consumePhraseMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-42501cmd/go: Malicious Module Proxy Can Bypass Checksum DatabaseMedium False PositiveNoneCE 2.13.5 / EE 2.13.3May 11, 2026
CVE-2026-27143cmd/compile: Memory Corruption After Bound Check EliminationHigh False PositiveNoneCE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32283crypto/tls: TLS Connection Deadlock via Key Update FloodHighAdvisoryCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-34986auth/validator: Go JOSE Panic via Empty Encrypted Key in JWE Key WrappingHigh False PositiveNoneCE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-27140cmd/go: Trust Layer Bypass with cgo and SWIGMedium False PositiveNoneCE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-27144cmd/compile: No-op Interface Conversion Bypasses Overlap CheckingMedium False PositiveNoneCE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32280crypto/x509: Unexpected Work During Certificate Chain BuildingMediumAdvisoryCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32281crypto/x509: Inefficient Policy ValidationMediumAdvisoryCE / EECE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32282os: Root.Chmod Follows Symlinks Outside Root on LinuxMedium False PositiveNoneCE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32288archive/tar: Unbounded Memory Allocation in GNU Sparse Map ParsingMedium False PositiveNoneCE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-32289html/template: JS Template Literal Context Incorrectly TrackedMedium False PositiveNoneCE 2.13.4 / EE 2.13.2Apr 8, 2026
CVE-2026-33186grpc: Authorization Bypass via Custom Interceptors or Per-RPC PluginsHigh False PositiveNoneCE 2.13.3 / EE 2.13.1Mar 19, 2026
CVE-2026-24051telemetry/opentelemetry: Arbitrary Code Execution via Untrusted PATH on macOSHighAdvisoryCE / EECE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-25679net/url: IPv6 Literal Validation BypassMediumAdvisoryCE / EECE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-27139os: FileInfo Can Escape from a RootMediumAdvisoryCE / EECE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-27142html/template: URLs in Meta Content Attribute Not EscapedMedium False PositiveNoneCE 2.13.2 / EE 2.13.0Mar 9, 2026
CVE-2026-3206backend/circuit-breaker: Uncontrolled Context Cancellation Causes Cascading Request FailuresMediumAdvisoryCE / EECE 2.13.1 / EE 2.12.5Feb 18, 2026
CVE-2025-61732cmd/cgo: Code Smuggling into cgo Binary via Comment ParsingMedium False PositiveNoneCE 2.13.0 / EE 2.12.4Feb 10, 2026
CVE-2025-68121crypto/tls: TLS Session Key Mismanagement in Config.Clone and GetConfigForClientMediumAdvisoryCE / EECE 2.13.0 / EE 2.12.4Feb 10, 2026
CVE-2025-61731cmd/go: CgoPkgConfig Flag Bypass Leads to Arbitrary Code ExecutionHigh False PositiveNoneCE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-68119cmd/go: VCS Toolchain Misinterpretation Enables Code ExecutionHigh False PositiveNoneCE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-61726net/http: Memory Exhaustion from Excessive Form Key-Value PairsMediumAdvisoryCE / EECE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-61728archive/zip: Super-linear Filename Indexing Causes DoS on Malicious ZIPsMedium False PositiveNoneCE 2.12.1 / EE 2.12.3Jan 16, 2026
CVE-2025-61727crypto/x509: Subdomain Exclusion Constraint Does Not Restrict Wildcard SANsMediumAdvisoryCE / EECE 2.12.1 / EE 2.12.2Dec 4, 2025
CVE-2025-61729crypto/x509: Quadratic Runtime in HostnameError.Error via Malicious CertificateMediumAdvisoryCE / EECE 2.12.1 / EE 2.12.2Dec 4, 2025
CVE-2025-47914x/crypto/ssh/agent: Panic via Malformed Identity Request MessageMedium False PositiveNoneCE 2.12.1 / EE 2.12.1Nov 21, 2025
CVE-2025-58181x/crypto/ssh: Memory Exhaustion via Unbounded GSSAPI Mechanism CountMedium False PositiveNoneCE 2.12.1 / EE 2.12.1Nov 21, 2025
Read our Security Policy to learn how KrakenD handles vulnerability disclosure and reporting. KrakenD is a CVE Numbering Authority (CNA).

Stay up to date with KrakenD releases and important updates