CVE-2026-39822
Medium
False Positiveos.Root sandboxed filesystem API. KrakenD does not
use os.Root anywhere: it does not expose a chroot-style directory sandbox and never opens
user-controlled paths through this API. With no os.Root in use, the vulnerable symlink
traversal path is never reached, regardless of configuration.Addressed through routine dependency maintenance in CE 2.13.8 and EE 2.13.6.
Component
Go standard library (os)
Disclosed
Jul 8, 2026
os.Root API, which restricts filesystem access to a directory tree, improperly
followed symlinks pointing outside the root on Unix systems when a path ended with a
trailing slash. Because openat(fd, path, O_NOFOLLOW) follows the final symlink when the
path terminates with /, a call such as root.Open("symlink/") would open the symlink’s
target even when it pointed outside the sandbox, defeating the os.Root containment guarantee.
This does not affect KrakenD, which never uses the os.Root sandboxed filesystem API.Stay up to date with KrakenD releases and important updates