Flexibility, performance and robustness are defining KrakenD just to name a few, we were able to quickly and easily build a robust gateway for our systems and we keep enjoying it everyday.
Samy Lastmann
CTO / Smart Tribune
CVE-2026-39821
Critical
· CVSS 10
Medium ImpactThis CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.
golang.org/x/net/idna for hostname normalization when routing requests
to backends. A crafted Punycode-encoded hostname in a request could bypass
hostname-based access controls or routing rules. Deployments that enforce host-based
routing or allow dynamic upstream URL components from external sources are most exposed.Component
golang.org/x/net (idna)
Disclosed
May 26, 2026
CVSS Score
10
golang.org/x/net/idna package incorrectly accepts Punycode-encoded labels
that decode to ASCII-only strings, violating UTS 46 revision 33. For example,
xn--example-.com is accepted and normalized to example.com instead of being
rejected. An attacker can supply a Punycode-encoded form of a blocked hostname to
bypass hostname-based security checks and gain access to resources that should be
restricted.Community Edition
2.13.6
addresses this CVE
Affected CE versions
>= 2.0, < 2.13.6
Enterprise Edition
2.13.4
addresses this CVE
Affected EE versions
>= 2.0, < 2.13.4
Upgrade to the addressed version or later to remediate this vulnerability.
Stay up to date with KrakenD releases and important updates