KrakenD played a vital role in our API transformation journey by protecting our business platforms boundary and exposing the business capabilities in a standard way to both internal and external audience.
Stefano Leopizzi
Enterprise Architecture / lastminute.com
CVE-2026-46595
Medium
False Positivegolang.org/x/crypto/ssh package is a transitive dependency but its SSH
authentication code paths are never invoked during KrakenD operation. The
dependency was upgraded as a precaution.Addressed through routine dependency maintenance in CE 2.13.6 and EE 2.13.4.
Component
golang.org/x/crypto (SSH)
Disclosed
May 26, 2026
golang.org/x/crypto/ssh skips source-address certificate validation when
a VerifiedPublicKeyCallback is used alongside other callback types. This allows
a client connecting from an address not listed in the certificate’s source-address
restriction to authenticate successfully.Stay up to date with KrakenD releases and important updates