CVE-2026-6993: Go Kratos File Transport Vulnerability
A security flaw has been discovered in go-kratos kratos up to 2.9.2 that impacts the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler.
Descripción de la Vulnerabilidad
The function NewServer of the file transport implementation is vulnerable to arbitrary code execution through a path traversal or intermediate manipulation vulnerability. The attack can be launched remotely and results in unintended intermediary processing. This vulnerability has been released for public use since April 25, 2026.
Sistemas Afectados
- Project:
- go-kratos / kratos
- VulnId:
- CVE-2026-6993
- Patch Version:
- v1.9.7 (Patch 0284a5bcf92b5a7ee015300ce3051baf7ae4718d)
Impacto y Explotabilidad
The vulnerability allows attackers to bypass security controls and execute arbitrary code through the file transport layer. The remote execution capability makes this attack vector particularly dangerous.
| CVSS Score | 5.3 (M) |
|---|---|
| Vuln Severity | MEDIUM |
| Patch Available | Yes (v1.9.7) |
| Risk Level | MEDIUM |
Indicadores de Compromiso (IOCs)
No hay indicadores públicos disponibles para esta vulnerabilidad.
Mitigación y Parches
- Patch: Update to kratos v1.9.7 or later (Patch 0284a5bcf92b5a7ee015300ce3051baf7ae4718d)
- Action Required: Apply patch to all affected versions immediately
- Contact Support: Provide CVE-2026-6993 for escalation
Tecnología Relacionada
- go-kratos / kratos
- HTTP File Transport
- Default Serve Mux Fallback Handler
Last updated: April 25, 2026 | Source: CVE Database