We have implemented KrakenD and I must say that I am very impressed how easy the installation and configuration process has been. The documentation is one of the best I have ever seen.
Märt Suga
Software Architect / Single.Earth
CVE-2026-42151
High
· CVSS 7.5
False Positiveprometheus/client_golang) for metrics
exposition only. The Azure AD OAuth remote write configuration is a feature of the
Prometheus server and is not part of KrakenD’s use of Prometheus. KrakenD does not
expose the /-/config endpoint. The dependency was upgraded as a precaution.Addressed through routine dependency maintenance in CE 2.13.5 and EE 2.13.3.
Component
Prometheus client library
Disclosed
May 11, 2026
CVSS Score
7.5
client_secret as a plain string rather than
a secured field, allowing any user or process with access to the /-/config HTTP
API endpoint to read the credential in plaintext.Stay up to date with KrakenD releases and important updates