PT-2026-55464 · Unknown · Kerberos-Io/Agent
Published
2026-07-02
·
Updated
2026-07-07
·
CVE-2026-50192
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
kerberos-io/agent versions prior to 3.6.26
Description
An issue exists in the Kerberos Hub upload path where the agent sends credentials in the custom
X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey request headers to the operator-configured Hub URL (config.HubURI). The HTTP client used in the UploadKerberosHub() function is configured to follow HTTP redirects automatically without a CheckRedirect policy. While the Go net/http library strips standard sensitive headers during cross-host redirects, it does not strip custom headers. Consequently, if the configured HubURI returns a cross-host redirect, the private key is forwarded to the redirect target, disclosing the credential to an unintended third party. This can occur via an open redirect on the Hub host, a compromised Hub deployment, DNS/BGP hijacking, or a malicious URL provided in the agent configuration. An attacker obtaining these keys can impersonate the device and gain unauthorized access to the Kerberos Hub.Recommendations
Implement a
CheckRedirect policy on the HTTP client used in UploadKerberosHub() to strip the X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey headers when the redirect target host differs from the original request host.Fix
Information Disclosure
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kerberos-Io/Agent