CVE-2026-6993

MEDIUM

go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy

Title source: cna

Description

A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.

References (7)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/359545

[Signature, Permissions Required] https://vuldb.com/vuln/359545/cti

[Third Party Advisory] https://vuldb.com/submit/797099

[Exploit] https://github.com/go-kratos/kratos/issues/3810

[Patch] https://github.com/go-kratos/kratos/pull/3814

[Patch] https://github.com/Yanhu007/kratos/commit/0284a5bcf92b5a7ee015300ce3051baf7ae4718d

View Patch ZIP pw:eip

[Product] https://github.com/go-kratos/kratos/

Scores

CVSS v3 5.3

EPSS 0.0005

EPSS Percentile 14.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-441

Status published

Products (3)

go-kratos/kratos 2.9.0

go-kratos/kratos 2.9.1

go-kratos/kratos 2.9.2

Published Apr 25, 2026

Tracked Since Apr 26, 2026