News KrakenD CE 2.13.8 and EE 2.13.6 update released

CVE-2026-39822 Medium False Positive

os: Root Escape via Symlink With Trailing Slash

This CVE does not affect KrakenD

The vulnerability exists only in Go’s os.Root sandboxed filesystem API. KrakenD does not use os.Root anywhere: it does not expose a chroot-style directory sandbox and never opens user-controlled paths through this API. With no os.Root in use, the vulnerable symlink traversal path is never reached, regardless of configuration.

Addressed through routine dependency maintenance in CE 2.13.8 and EE 2.13.6.

Component

Go standard library (os)

Disclosed

Jul 8, 2026

Description

Go’s os.Root API, which restricts filesystem access to a directory tree, improperly followed symlinks pointing outside the root on Unix systems when a path ended with a trailing slash. Because openat(fd, path, O_NOFOLLOW) follows the final symlink when the path terminates with /, a call such as root.Open("symlink/") would open the symlink’s target even when it pointed outside the sandbox, defeating the os.Root containment guarantee. This does not affect KrakenD, which never uses the os.Root sandboxed filesystem API.

Stay up to date with KrakenD releases and important updates