- Partners
- Docs
- Compare Open Source VS Enterprise
- Contact Sales
- Downloads
It seems that KrakenD does not exist because it hasn't caused any problems so far and is really fast, as promised.
Celso Zavatti
Head of Technology / Ahgora Sistemas
It seems that KrakenD does not exist because it hasn't caused any problems so far and is really fast, as promised.
Celso Zavatti
Head of Technology / Ahgora Sistemas
CVE-2026-40179
Medium
· CVSS 6.1
False Positiveprometheus/client_golang) to expose
a /metrics scrape endpoint and does not embed or serve the Prometheus web UI.
The vulnerable JavaScript rendering components are part of the Prometheus server
application, which KrakenD does not include. The dependency was upgraded as a
precaution.Addressed through routine dependency maintenance in CE 2.13.5 and EE 2.13.3.
Component
Prometheus client library
Disclosed
May 11, 2026
CVSS Score
6.1
innerHTML without HTML escaping. An attacker with the ability to write
metrics — via remote write, OTLP, or compromised scrape targets — can inject
arbitrary JavaScript that executes in users’ browsers when they view the Prometheus
web UI.Stay up to date with KrakenD releases and important updates