CVE-2026-6993

MEDIUM

go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy

Title source: cna

Description

A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.

References (7)

Core 7

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-359545 | go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy

https://vuldb.com/vuln/359545

Signature, Permissions Required signature permissions-required

VDB-359545 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/359545/cti

Third Party Advisory third-party-advisory

Submit #797099 | go-kratos kratos 2.9.2 Unintended Route Exposure via DefaultServeMux Fallback

https://vuldb.com/submit/797099

Exploit exploit issue-tracking

https://github.com/go-kratos/kratos/issues/3810

Patch issue-tracking patch

https://github.com/go-kratos/kratos/pull/3814

Patch patch

https://github.com/Yanhu007/kratos/commit/0284a5bcf92b5a7ee015300ce3051baf7ae4718d

View Patch ZIP pw:eip

Product product

https://github.com/go-kratos/kratos/

Scores

CVSS v3 5.3

EPSS 0.0032

EPSS Percentile 22.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-441

Status published

Products (4)

go-kratos/kratos 0Go

go-kratos/kratos 2.9.0

go-kratos/kratos 2.9.1

go-kratos/kratos 2.9.2

Published Apr 25, 2026

Tracked Since Apr 26, 2026