We began by creating a model with the community version to assess its capabilities. Once we confirmed that this tool met our needs, we opted for an enterprise license. Simply to benefit from tools that facilitate integration into our model and address specific requirements of our architecture in terms of security, data transformation, and authentication management.
Nicolas Gabetty
Senior Engineer / Coop Atlantique
CVE-2026-42508
Medium
False Positivegolang.org/x/crypto/ssh/knownhosts package is a transitive dependency but its
code paths are never invoked during KrakenD operation. The dependency was upgraded
as a precaution.Addressed through routine dependency maintenance in CE 2.13.6 and EE 2.13.4.
Component
golang.org/x/crypto (SSH)
Disclosed
May 26, 2026
golang.org/x/crypto/ssh/knownhosts package does not verify the @revoked
status of a certificate authority’s SignatureKey. A certificate issued by a
revoked CA may be accepted as valid, allowing an entity whose CA key was revoked
to still authenticate successfully.Stay up to date with KrakenD releases and important updates