Critical & High with Kapacitor Binaries

InfluxDB 1 Kapacitor
,
1

Hi Team,

With recent Trivy scan, we identified one Critical and several High severity vulnerabilities, as highlighted in the table below. We would like to understand whether fixes for these issues are already planned. If not, could you please let us know if there is any plan or timeline to address them?

Our setup: We are using a Debian-based image with Kapacitor version 1.8.4, installed via the Debian package.

Trivy Vulnerability Scan Results

Binary: /usr/bin/kapacitor

Vulnerability ID Severity CVSS Title Library Vulnerable Version Fixed Version
CVE-2026-25679 HIGH - net/url: Incorrect parsing of IPv6 host literals stdlib v1.25.7 1.25.8, 1.26.1
CVE-2026-32282 HIGH - syscall/unix: Root.Chmod can follow symlinks stdlib v1.25.7 1.25.9, 1.26.2
CVE-2026-27142 MEDIUM - html/template: meta URL escaping issue stdlib v1.25.7 1.25.8, 1.26.1
CVE-2026-32281 MEDIUM - crypto/x509 DoS via cert validation stdlib v1.25.7 1.25.9, 1.26.2
CVE-2026-32288 MEDIUM - archive/tar DoS via crafted archive stdlib v1.25.7 1.25.9, 1.26.2
CVE-2026-32289 MEDIUM - html/template XSS vulnerability stdlib v1.25.7 1.25.9, 1.26.2
CVE-2026-27139 LOW - os: FileInfo escape issue stdlib v1.25.7 1.25.8, 1.26.1
CVE-2026-32280 UNKNOWN - Chain building work issue stdlib v1.25.7 1.25.9, 1.26.2
CVE-2026-32283 UNKNOWN - TLS key update issue stdlib v1.25.7 1.25.9, 1.26.2

Binary: /usr/bin/kapacitord

Vulnerability ID Severity CVSS Title Library Vulnerable Version Fixed Version
GHSA-xmrv-pmrh-hhx2 MEDIUM - AWS SDK EventStream DoS aws-sdk-go-v2 v1.4.10 1.7.8
GHSA-xmrv-pmrh-hhx2 MEDIUM - AWS SDK S3 DoS aws-sdk-go-v2/service/s3 v1.31.0 1.97.3
CVE-2026-34040 HIGH 7.8 Moby authorization bypass docker/docker v27.1.1 29.3.1
CVE-2026-33997 MEDIUM 8.1 Moby plugin privilege bypass docker/docker v27.1.1 29.3.1
CVE-2025-54410 LOW 5.2 Firewalld reload isolation issue docker/docker v27.1.1 25.0.13, 28.0.0
CVE-2022-21698 HIGH 7.5 Prometheus DoS vulnerability prometheus/client_golang v1.10.0 1.11.1
CVE-2026-33186 CRITICAL - gRPC authorization bypass grpc-go v1.58.3 1.79.3

We have been following up on the same issue via email with security@influxdata.com
, but have not received a response so far. Please let us know if you need any additional details from our side.

2

https://github.com/influxdata/kapacitor/pull/2894 updated golang to 1.25.9 and is merged. kapacitor 1.8.4 was compiled with golang 1.25.8 and was released on 2026-04-16. The 1.8.5 release is currently being prepared with the above PR.

Of the high and critical issues:

  • CVE-2026-25679 - net/url - fixed in golang 1.25.8/kapacitor 1.8.4
  • CVE-2026-32282 - os: Root.Chmod - not sure why trivy is treating this as a high; https://github.com/advisories/GHSA-xj38-jxc5-rppx lists it as a ‘moderate’. Note that kapacitor as a deb/rpm runs under the unprivileged ‘kapacitor’ user and group. Fixed in golang 1.25.9/pending kapacitor 1.8.5
  • CVE-2026-34040 - github.com/moby/moby - this is only when running as a docker daemon to run containers, which kapacitor does not do
  • CVE-2026-33186 - google.golang.org/grpc - this requires that the software run a gRPC server, which kapacitor does not do. https://github.com/influxdata/kapacitor/pull/2887 exists for this
  • CVE-2022-21698 - prometheus/client_golang - kapacitor imports github.com/prometheus/client_golang/prometheus and not the affected github.com/prometheus/client_golang/promhttp and is not affected

In summary, all of the open issues that affect kapacitor are ‘medium’ or lower and they will be fixed in the upcoming 1.8.5 release.

3

Fyi, 1.8.5 was released today and is available for download. The docker images will be available soon.