News KrakenD CE 2.13.8 and EE 2.13.6 update released

CVE-2026-42505 Low False Positive

crypto/tls: Encrypted Client Hello Privacy Leak via PSK in Outer ClientHello

This CVE does not affect KrakenD

The flaw is only reachable by a TLS client that performs an ECH handshake, which in Go requires setting Config.EncryptedClientHelloConfigList on the client. KrakenD does not expose or enable ECH on its backend TLS client connections, so it never emits an ECH outer ClientHello and the vulnerable PSK path is never executed. The Go team classified the issue as limited impact (a privacy degradation, not a confidentiality or integrity break).

Addressed through routine dependency maintenance in CE 2.13.8 and EE 2.13.6.

Component

Go standard library (crypto/tls)

Disclosed

Jul 8, 2026

Description

Go’s crypto/tls included the Pre-Shared Key (PSK) extension in the outer ClientHello of an Encrypted Client Hello (ECH) handshake. An on-path attacker could collect these outer ClientHellos and replay them with arbitrary guessed SNI values: a server accepting the PSK would fail binder validation, giving the attacker a probing oracle that degrades the privacy ECH is meant to provide. The fix omits the PSK extension from the ECH outer ClientHello. This does not affect KrakenD, which does not enable Encrypted Client Hello on its outbound TLS connections.

Stay up to date with KrakenD releases and important updates