Description
A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.
Published: 2026-04-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw in the NewServer function of go‑kratos’ HTTP transport allows a remote actor to manipulate arguments passed to the http.DefaultServeMux fallback handler. This mis‑routing is a classic confused deputy vulnerability (CWE‑441 and CWE‑444) that can cause the server to perform actions on behalf of a user with higher privileges than intended, potentially leading to unauthorized access or execution of code with elevated rights.

Affected Systems

The vulnerability affects the go‑kratos kratos framework up to and including version 2.9.2. No other versions are known to be impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of widespread exploitation, although a public exploit has been released. The flaw can be triggered remotely via network access to the HTTP service, but it does not require local privilege or user interaction. The issue is not listed in CISA’s KEV catalog. Given the public nature of the exploit, the risk remains significant for systems that have not yet applied the patch.

Generated by OpenCVE AI on April 29, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch referenced by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d or upgrade to a version newer than 2.9.2
  • Limit exposure of the HTTP service by configuring firewalls or access controls to restrict remote access to trusted networks
  • Review the use of http.DefaultServeMux in application code and replace or sanitize its fallback handler to prevent unintended privilege escalation

Generated by OpenCVE AI on April 29, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jj45-xvq5-rhh9 Kratos has a Confused Deputy issue
History

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-444
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Go-kratos
Go-kratos kratos
Vendors & Products Go-kratos
Go-kratos kratos

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.
Title go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy
Weaknesses CWE-441
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Go-kratos Kratos
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:41:17.183Z

Reserved: 2026-04-24T19:43:37.550Z

Link: CVE-2026-6993

cve-icon Vulnrichment

Updated: 2026-04-27T13:41:10.305Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T19:16:00.177

Modified: 2026-04-27T18:42:11.700

Link: CVE-2026-6993

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T18:30:16Z

Links: CVE-2026-6993 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses