Server-Side Request Forgery (SSRF) Affecting kube-logging-operator package, versions <6.5.2-r0


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.27% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-KUBELOGGINGOPERATOR-16877789
  • published26 May 2026
  • disclosed19 May 2026

Introduced: 19 May 2026

CVE-2026-33637  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade Chainguard kube-logging-operator to version 6.5.2-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kube-logging-operator package and not the kube-logging-operator package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

CVSS Base Scores

version 3.1