Security Flaw in go-kratos Affecting HTTP Server Functionality
CVE-2026-6993

6.9MEDIUM

Key Information:

Vendor: Go-kratos
Status: Kratos
Vendor: CVE Published:; 25 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6993?

A security flaw exists in go-kratos up to version 2.9.2 that affects the NewServer function in the transport/http/server.go file. This vulnerability impacts the http.DefaultServeMux Fallback Handler, allowing for unintended intermediary exposure. The vulnerability can be exploited remotely, posing significant security risks. It is crucial to apply the patch identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d to mitigate the risks associated with this flaw.

Affected Version(s)

kratos 2.9.0

kratos 2.9.1

kratos 2.9.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6993 - Proof of Concept

References

https://vuldb.com/vuln/359545

vdb-entrytechnical-description

https://vuldb.com/vuln/359545/cti

signaturepermissions-required

https://vuldb.com/submit/797099

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 25, 2026
👾
Exploit known to exist
Apr 25, 2026
Vulnerability published
Apr 25, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

Yu_Bao (VulDB User)

CVE-2026-6993 Data

JSON

Go-kratos

Badges

What is CVE-2026-6993?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit