It must be mentioned again how speedy KrakenD folks are to responding and how helpful it is. It feels like we're working with a team that works here in Paylocity
Dannie Walker
Senior Software Engineer / Paylocity
CVE-2026-32282
Medium
· CVSS 5.5
False Positiveos.Root sandboxed filesystem API at runtime. The vulnerable
os.Root.Chmod code path is never invoked during KrakenD operation.Addressed through routine dependency maintenance in CE 2.13.4 and EE 2.13.2.
Component
Go standard library (os)
Disclosed
Apr 8, 2026
CVSS Score
5.5
os.Root.Chmod method follows symbolic links that point outside the root directory
boundary on Linux, defeating the sandboxing guarantee of the os.Root API. An attacker
with the ability to create symlinks inside a sandboxed root and trigger a Chmod call
could affect files outside the intended boundary.Stay up to date with KrakenD releases and important updates