The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
| Version | Base score | Base severity | Vector |
|---|
| Hyperlink | Resource Type |
|---|
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
| Type | CWE ID | Description |
|---|---|---|
| N/A | N/A | CWE-1289: Improper Validation of Unsafe Equivalence in Input |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| https://go.dev/cl/767220 | N/A |
| https://go.dev/issue/78760 | N/A |
| https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 | N/A |
| https://pkg.go.dev/vuln/GO-2026-5026 | N/A |
| Version | Base score | Base severity | Vector |
|---|---|---|---|
| 3.1 | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.
| Version | Base score | Base severity | Vector |
|---|---|---|---|
| 3.1 | 8.2 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
| CAPEC ID | Description |
|---|
RHSA-2026:41019: RHEM 1.1 for RHEL 10, RHEM 1.1 for RHEL 9
RHSA-2026:34789: Red Hat OpenShift Container Platform 4.22
RHSA-2026:36796: RHEM 1.0 for RHEL 9
RHSA-2026:30855: Red Hat Enterprise Linux AppStream (v. 10)
RHSA-2026:37436: Red Hat Enterprise Linux AppStream (v. 10)
RHSA-2026:35827: Red Hat Enterprise Linux AppStream (v. 10)
RHSA-2026:35826: Red Hat Enterprise Linux AppStream (v. 10)
RHSA-2026:34357: Red Hat Enterprise Linux AppStream (v. 10)
RHSA-2026:39005: Red Hat Enterprise Linux AppStream (v. 10)
RHSA-2026:39573: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
RHSA-2026:38995: Red Hat Enterprise Linux AppStream (v. 8)
RHSA-2026:30853: Red Hat Enterprise Linux AppStream (v. 8)
RHSA-2026:35830: Red Hat Enterprise Linux AppStream (v. 8)
RHSA-2026:35831: Red Hat Enterprise Linux AppStream (v. 8)
RHSA-2026:30854: Red Hat Enterprise Linux AppStream (v. 9)
RHSA-2026:37435: Red Hat Enterprise Linux AppStream (v. 9)
RHSA-2026:35828: Red Hat Enterprise Linux AppStream (v. 9)
RHSA-2026:35829: Red Hat Enterprise Linux AppStream (v. 9)
RHSA-2026:34359: Red Hat Enterprise Linux AppStream (v. 9)
RHSA-2026:39879: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)
RHSA-2026:34342: Cluster Observability Operator 1.5.0
RHSA-2026:36808: DevWorkspace Operator 0.42
RHSA-2026:34364: Logging Subsystem for Red Hat OpenShift 6.4
RHSA-2026:41030: Multicluster Global Hub 1.4.5
RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13
RHSA-2026:26547: Red Hat Advanced Cluster Security for Kubernetes 4.10
RHSA-2026:36207: Red Hat Advanced Cluster Security for Kubernetes 4.11
RHSA-2026:26546: Red Hat Advanced Cluster Security for Kubernetes 4.9
RHSA-2026:36651: Red Hat Edge Manager 1.0
RHSA-2026:40945: Red Hat Edge Manager 1.1
RHSA-2026:40118: Red Hat Edge Manager 1.1
RHSA-2026:33531: Red Hat Enterprise Linux AI 3.4
RHSA-2026:33524: Red Hat Enterprise Linux AI 3.4
RHSA-2026:23262: Red Hat Hardened Images
RHSA-2026:23264: Red Hat Hardened Images
RHSA-2026:36648: Red Hat OpenShift Builds 1.7.4
RHSA-2026:41036: Red Hat OpenShift Builds 1.8.1
RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29
RHSA-2026:35994: Red Hat OpenShift GitOps 1.19
RHSA-2026:35993: Red Hat OpenShift GitOps 1.20
RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6
RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1
RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2
RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3
RHSA-2026:33160: Red Hat OpenShift Service Mesh 3
RHSA-2026:37387: Red Hat Openshift Data Foundation 4.22
RHSA-2026:41031: Red Hat Quay 3.10
RHSA-2026:41066: Red Hat Quay 3.16
RHSA-2026:40262: Red Hat Quay 3.9
RHSA-2026:36797: Red Hat Trusted Artifact Signer 1.4
RHSA-2026:36105: multicluster engine for Kubernetes 2.6
RHSA-2026:36167: multicluster engine for Kubernetes 2.6
RHSA-2026:41055: multicluster engine for Kubernetes 2.6
RHSA-2026:40119: multicluster engine for Kubernetes 2.6
RHSA-2026:30650: multicluster engine for Kubernetes 2.8
RHSA-2026:36883: multicluster engine for Kubernetes 2.9
Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.
| Event | Date |
|---|---|
| Reported to Red Hat. | 2026-05-22 16:00:52 |
| Made public. | 2026-05-22 15:01:21 |
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
| Date Added | Due Date | Vulnerability Name | Required Action |
|---|---|---|---|
| N/A |
| Type | Version | Base score | Base severity | Vector |
|---|---|---|---|---|
| Secondary | 3.1 | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| Secondary | 3.1 | 8.2 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
| N/A |
A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.
In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.