CVE-2026-6993
Remote Intermediary Manipulation in go-kratos HTTP Server
Publication date: 2026-04-25
Last updated on: 2026-04-25
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go-kratos | kratos | to 2.9.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-6993 affects the go-kratos HTTP server's fallback handling for unmatched routes and disallowed HTTP methods. The server used the global shared instance http.DefaultServeMux as the fallback handler, which can have debug and profiling endpoints registered by other packages such as net/http/pprof. This caused unintended exposure of sensitive debug endpoints like /debug/pprof/ and its subpaths, allowing remote attackers to access profiling data, goroutine dumps, heap profiles, and other sensitive runtime information without authentication.
The issue arises because any HTTP request to an unregistered path falls through to DefaultServeMux, exposing these debug endpoints instead of returning a proper 404 Not Found or 405 Method Not Allowed response. The vulnerability can be exploited remotely and the exploit has been publicly released.
The patch replaces the fallback handlers with safer defaults: NotFoundHandler now returns a 404 Not Found response, and MethodNotAllowedHandler returns a 405 Method Not Allowed response, preventing accidental exposure of debug endpoints.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated remote attackers to access sensitive profiling and debug data exposed by the go-kratos HTTP server. The exposed information includes:
- Process command-line arguments that may contain secrets such as database passwords or API keys.
- Full goroutine stack dumps revealing source code paths, internal package structures, dependency versions, and runtime state.
- Heap memory dumps containing sensitive runtime data like credentials, session tokens, encryption keys, or personally identifiable information (PII).
- CPU profiles exposing hot code paths, business logic, and internal function names.
- Execution traces providing detailed request processing timing and goroutine activity.
Additionally, the CPU profiling endpoint can be abused to perform denial-of-service attacks by triggering multiple concurrent profiling requests, potentially degrading server performance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the go-kratos HTTP server exposes debug profiling endpoints such as /debug/pprof/ and its subpaths. These endpoints are unintentionally exposed if the server uses http.DefaultServeMux as the fallback handler.
To detect this on your system or network, you can send HTTP requests to the following endpoints and observe if they return HTTP 200 OK responses with profiling data without authentication:
- /debug/pprof/
- /debug/pprof/cmdline
- /debug/pprof/profile
- /debug/pprof/symbol
- /debug/pprof/trace
- /debug/pprof/heap
- /debug/pprof/goroutine
Example commands using curl to test exposure:
- curl -i http://your-server-address/debug/pprof/
- curl -i http://your-server-address/debug/pprof/profile
If these endpoints respond with HTTP 200 and profiling data without authentication, your server is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to prevent the go-kratos HTTP server from using http.DefaultServeMux as the fallback handler for unmatched routes and disallowed HTTP methods.
Specifically, you should configure the server to use safer fallback handlers that do not expose debug endpoints:
- Set the NotFoundHandler to http.NotFoundHandler(), which returns a 404 Not Found response.
- Set the MethodNotAllowedHandler to a handler that returns HTTP 405 Method Not Allowed.
If you cannot immediately apply the official patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d, you can override these handlers manually when creating the server to prevent fallback to DefaultServeMux.
Ultimately, applying the official patch that replaces the fallback handlers in the NewServer() function is the recommended fix.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-6993 causes unintended exposure of sensitive debug endpoints such as /debug/pprof/ which can leak profiling data, goroutine dumps, heap profiles, and other sensitive runtime information over the network without authentication.
This exposure can lead to leakage of sensitive data including process command-line arguments (which may contain secrets like database passwords or API keys), heap memory dumps (potentially containing credentials, session tokens, encryption keys, or personally identifiable information), and detailed runtime state.
Such unintended data exposure can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require protection of personal data and sensitive information from unauthorized access.
Therefore, until patched, this vulnerability increases the risk of non-compliance by allowing unauthenticated remote attackers to access sensitive information that should be protected under these regulations.