CVE-2026-6993
Received Received - Intake
Remote Intermediary Manipulation in go-kratos HTTP Server

Publication date: 2026-04-25

Last updated on: 2026-04-25

Assigner: VulDB

Description
A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6993
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
go-kratos kratos to 2.9.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-6993 affects the go-kratos HTTP server's fallback handling for unmatched routes and disallowed HTTP methods. The server used the global shared instance http.DefaultServeMux as the fallback handler, which can have debug and profiling endpoints registered by other packages such as net/http/pprof. This caused unintended exposure of sensitive debug endpoints like /debug/pprof/ and its subpaths, allowing remote attackers to access profiling data, goroutine dumps, heap profiles, and other sensitive runtime information without authentication.

The issue arises because any HTTP request to an unregistered path falls through to DefaultServeMux, exposing these debug endpoints instead of returning a proper 404 Not Found or 405 Method Not Allowed response. The vulnerability can be exploited remotely and the exploit has been publicly released.

The patch replaces the fallback handlers with safer defaults: NotFoundHandler now returns a 404 Not Found response, and MethodNotAllowedHandler returns a 405 Method Not Allowed response, preventing accidental exposure of debug endpoints.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated remote attackers to access sensitive profiling and debug data exposed by the go-kratos HTTP server. The exposed information includes:

  • Process command-line arguments that may contain secrets such as database passwords or API keys.
  • Full goroutine stack dumps revealing source code paths, internal package structures, dependency versions, and runtime state.
  • Heap memory dumps containing sensitive runtime data like credentials, session tokens, encryption keys, or personally identifiable information (PII).
  • CPU profiles exposing hot code paths, business logic, and internal function names.
  • Execution traces providing detailed request processing timing and goroutine activity.

Additionally, the CPU profiling endpoint can be abused to perform denial-of-service attacks by triggering multiple concurrent profiling requests, potentially degrading server performance.

Detection Guidance

This vulnerability can be detected by checking if the go-kratos HTTP server exposes debug profiling endpoints such as /debug/pprof/ and its subpaths. These endpoints are unintentionally exposed if the server uses http.DefaultServeMux as the fallback handler.

To detect this on your system or network, you can send HTTP requests to the following endpoints and observe if they return HTTP 200 OK responses with profiling data without authentication:

  • /debug/pprof/
  • /debug/pprof/cmdline
  • /debug/pprof/profile
  • /debug/pprof/symbol
  • /debug/pprof/trace
  • /debug/pprof/heap
  • /debug/pprof/goroutine

Example commands using curl to test exposure:

  • curl -i http://your-server-address/debug/pprof/
  • curl -i http://your-server-address/debug/pprof/profile

If these endpoints respond with HTTP 200 and profiling data without authentication, your server is vulnerable.

Mitigation Strategies

The immediate mitigation is to prevent the go-kratos HTTP server from using http.DefaultServeMux as the fallback handler for unmatched routes and disallowed HTTP methods.

Specifically, you should configure the server to use safer fallback handlers that do not expose debug endpoints:

  • Set the NotFoundHandler to http.NotFoundHandler(), which returns a 404 Not Found response.
  • Set the MethodNotAllowedHandler to a handler that returns HTTP 405 Method Not Allowed.

If you cannot immediately apply the official patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d, you can override these handlers manually when creating the server to prevent fallback to DefaultServeMux.

Ultimately, applying the official patch that replaces the fallback handlers in the NewServer() function is the recommended fix.

Compliance Impact

The vulnerability CVE-2026-6993 causes unintended exposure of sensitive debug endpoints such as /debug/pprof/ which can leak profiling data, goroutine dumps, heap profiles, and other sensitive runtime information over the network without authentication.

This exposure can lead to leakage of sensitive data including process command-line arguments (which may contain secrets like database passwords or API keys), heap memory dumps (potentially containing credentials, session tokens, encryption keys, or personally identifiable information), and detailed runtime state.

Such unintended data exposure can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require protection of personal data and sensitive information from unauthorized access.

Therefore, until patched, this vulnerability increases the risk of non-compliance by allowing unauthenticated remote attackers to access sensitive information that should be protected under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6993. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart