QwikSec

Security Database

CVE

CWE

Training

CVE-2026-6993

Published: Apr 25, 2026

Modified: Apr 27, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.

Vendor	Product	Versions
go-kratos	kratos	affected `2.9.0` affected `2.9.1` affected `2.9.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

VDB-359545 | go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy

vdb-entry

technical-description

VDB-359545 | CTI Indicators (IOB, IOC, IOA)

signature

permissions-required

Submit #797099 | go-kratos kratos 2.9.2 Unintended Route Exposure via DefaultServeMux Fallback

third-party-advisory

https://github.com/go-kratos/kratos/issues/3810

exploit

issue-tracking

https://github.com/go-kratos/kratos/pull/3814

issue-tracking

patch

https://github.com/Yanhu007/kratos/commit/0284a5bcf92b5a7ee015300ce3051baf7ae4718d

patch

https://github.com/go-kratos/kratos/

product

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.