KrakenD allowed us to focus on our backend and deploy a secure and performant system in a few days. After more than 2 years of use in production and 0 crash or malfunction, it also has proven its robustness
Jonathan Muller
CTO / Openroom Inc.
CVE-2026-39824
Medium
False Positivegolang.org/x/sys/windows.NewNTUnicodeString in its
operation. This vulnerability is specific to Windows platform code paths that
KrakenD does not exercise. The dependency was upgraded as a precaution.Addressed through routine dependency maintenance in CE 2.13.6 and EE 2.13.4.
Component
golang.org/x/sys (Windows)
Disclosed
May 26, 2026
golang.org/x/sys/windows package causes
NewNTUnicodeString to return a truncated string instead of an error when the
input exceeds the maximum representable length. Applications relying on this
function for path or string construction may silently receive incorrect values.Stay up to date with KrakenD releases and important updates