PT-2026-55464 · Unknown · Kerberos-Io/Agent

Published

2026-07-02

·

Updated

2026-07-07

·

CVE-2026-50192

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions kerberos-io/agent versions prior to 3.6.26
Description An issue exists in the Kerberos Hub upload path where the agent sends credentials in the custom X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey request headers to the operator-configured Hub URL (config.HubURI). The HTTP client used in the UploadKerberosHub() function is configured to follow HTTP redirects automatically without a CheckRedirect policy. While the Go net/http library strips standard sensitive headers during cross-host redirects, it does not strip custom headers. Consequently, if the configured HubURI returns a cross-host redirect, the private key is forwarded to the redirect target, disclosing the credential to an unintended third party. This can occur via an open redirect on the Hub host, a compromised Hub deployment, DNS/BGP hijacking, or a malicious URL provided in the agent configuration. An attacker obtaining these keys can impersonate the device and gain unauthorized access to the Kerberos Hub.
Recommendations Implement a CheckRedirect policy on the HTTP client used in UploadKerberosHub() to strip the X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey headers when the redirect target host differs from the original request host.

Fix

Information Disclosure

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-50192
GHSA-H5GX-45RJ-2H5J
GO-2026-5890

Affected Products

Kerberos-Io/Agent