Skip to main content

go-kratos kratos CVE-2026-6993

| EUVDEUVD-2026-25669 MEDIUM
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-04-25 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 27, 2026 - 18:42 vuln.today
Public exploit code
Analysis Generated
Apr 25, 2026 - 19:30 vuln.today
CVSS changed
Apr 25, 2026 - 19:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 25, 2026 - 19:00 euvd
EUVD-2026-25669
Analysis Generated
Apr 25, 2026 - 19:00 vuln.today
Patch released
Apr 25, 2026 - 19:00 nvd
Patch available
CVE Published
Apr 25, 2026 - 18:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.

AnalysisAI

Unintended intermediary exposure in go-kratos kratos up to 2.9.2 allows remote attackers to disclose sensitive information via manipulation of the http.DefaultServeMux fallback handler in the NewServer function. The vulnerability has publicly available exploit code and affects the HTTP transport layer with a CVSS score of 5.5, representing a confidentiality impact without availability or integrity concerns.

Technical ContextAI

The vulnerability resides in the HTTP transport component of go-kratos, specifically in the NewServer function of transport/http/server.go. The flaw involves improper handling of the http.DefaultServeMux fallback handler mechanism, which can expose intermediary system information or application details. CWE-441 (Unintended Proxy or Intermediary) indicates that the vulnerability stems from the application acting as an unintended intermediary, potentially leaking information through HTTP responses. The affected library versions through 2.9.2 do not properly isolate or validate the fallback routing behavior, allowing remote exploitation without authentication.

RemediationAI

Apply the vendor-released patch identified as commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d via GitHub pull request #3814 by upgrading go-kratos beyond version 2.9.2. Verify the patched version in go.mod and rebuild the application to incorporate the fix. For immediate mitigation pending patch deployment, restrict HTTP access to kratos services to trusted networks only, implement reverse proxy filtering rules to block requests targeting known fallback handler patterns, and disable or explicitly configure the http.DefaultServeMux fallback behavior through kratos configuration options. Verify patch effectiveness by testing the fallback handler behavior to confirm intermediary information is no longer exposed in HTTP responses.

Vendor StatusVendor

Share

CVE-2026-6993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy