Flexibility, performance and robustness are defining KrakenD just to name a few, we were able to quickly and easily build a robust gateway for our systems and we keep enjoying it everyday.
Samy Lastmann
CTO / Smart Tribune
CVE-2026-39825
Medium
· CVSS 5.3
Medium ImpactThis CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.
net/http/httputil.ReverseProxy to forward requests to backends.
Endpoints that pass through query parameters (input_query_strings) may be
affected if an attacker sends requests with more than the urlmaxqueryparams
limit (default: 10,000) parameters, allowing hidden parameters to reach backend
services unfiltered.Component
Go standard library (net/http/httputil)
Disclosed
May 11, 2026
CVSS Score
5.3
net/http/httputil.ReverseProxy forwards query parameters beyond the
urlmaxqueryparams GODEBUG limit that are not visible to the proxy’s Rewrite
or Director function. An attacker sending a request with more than the maximum
number of query parameters can smuggle additional parameters to backend services
while bypassing any proxy-level query parameter inspection or filtering.Community Edition
2.13.5
addresses this CVE
Affected CE versions
>= 2.0, < 2.13.5
Enterprise Edition
2.13.3
addresses this CVE
Affected EE versions
>= 2.0, < 2.13.3
Upgrade to the addressed version or later to remediate this vulnerability.
Stay up to date with KrakenD releases and important updates