KrakenD played a vital role in our API transformation journey by protecting our business platforms boundary and exposing the business capabilities in a standard way to both internal and external audience.
Stefano Leopizzi
Enterprise Architecture / lastminute.com
CVE-2026-42154
High
· CVSS 7.5
False Positiveprometheus/client_golang) for
exposing metrics at a /metrics endpoint. The vulnerable remote read API
(/api/v1/read) is a feature of the Prometheus server binary and is not
implemented or exposed by KrakenD. The dependency was upgraded as a precaution.Addressed through routine dependency maintenance in CE 2.13.5 and EE 2.13.3.
Component
Prometheus client library
Disclosed
May 11, 2026
CVSS Score
7.5
/api/v1/read) fails to validate the declared
decoded length of snappy-compressed request bodies before allocating memory. An
unauthenticated attacker can send a small payload that triggers excessive heap
allocation per request, potentially exhausting memory and crashing the process
under concurrent load.Stay up to date with KrakenD releases and important updates