Vulnerability in Go-kratos Kratos
CVE-2026-6993
A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended in…
EPSS: 0.001 (16.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C.
Affected products
- Go-kratos Kratos — versions 2.9.0, 2.9.1, 2.9.2
Weakness classification (CWE)
References
- VDB-359545 | go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy (vdb-entry, technical-description)
- VDB-359545 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
- Submit #797099 | go-kratos kratos 2.9.2 Unintended Route Exposure via DefaultServeMux Fallback (third-party-advisory)
- github.com/go-kratos/kratos/issues/3810 (exploit, issue-tracking)
- github.com/go-kratos/kratos/pull/3814 (issue-tracking, patch)
- github.com/Yanhu007/kratos/commit/0284a5bcf92b5a7ee015300ce3051baf7ae4718d (patch)
- github.com/go-kratos/kratos/ (product)
Frequently asked questions
- What is CVE-2026-6993?
- CVE-2026-6993 is a medium-severity vulnerability in Go-kratos Kratos, classified under Unintended Proxy or Intermediary (Confused Deputy). CVSS score: 5.3/10. Published 2026-04-25.
- How severe is CVE-2026-6993?
- Medium severity. CVSS v3 base score is 5.3 out of 10.