Threat Advisory

Kerberos Agent Machinery Vulnerability Leaks Private Key

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50192 with a CVSS score of 5.5 is a credential leakage vulnerability in the Kerberos Hub agent library (go/github.com/kerberos-io/agent/machinery) affecting all versions prior to 0.0.0-20260528173546-51f1a52e170f. The library builds an HTTP client without a CheckRedirect policy and sends the agent’s Hub private key and public key in custom headers (X‑Kerberos‑Hub‑PrivateKey / X‑Kerberos‑Hub‑PublicKey) to the operator‑configured HubURI; when the HubURI returns a cross‑host 30x redirect, Go’s net/http only strips standard authentication headers, leaving the custom secret headers intact and forwarding them to the redirect target. An attacker who can control or compromise the HubURI domain, or who can induce a redirect (e.g., via an open‑redirect, DNS hijack, or malicious configuration) can cause the client to automatically follow the redirect and exfiltrate the private key. Possession of the private key grants the attacker full authentication to the Kerberos Hub, enabling them to upload fabricated data, impersonate devices, or disrupt service. The business impact includes unauthorized data injection, loss of device integrity, and potential exposure of downstream services that rely on the Hub for secure communication. Exploitation requires that the victim agent be configured with a HubURI that issues a cross‑origin redirect to an attacker‑controlled host, and that the attacker can receive the redirected request.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50192 with a CVSS score of 5.5 is a credential leakage vulnerability in the Kerberos Hub agent library (go/github.com/kerberos-io/agent/machinery) affecting all versions prior to 0.0.0-20260528173546-51f1a52e170f. The library builds an HTTP client without a CheckRedirect policy and sends the agent’s Hub private key and public key in custom headers (X‑Kerberos‑Hub‑PrivateKey / X‑Kerberos‑Hub‑PublicKey) to the operator‑configured HubURI; when the HubURI returns a cross‑host 30x redirect, Go’s net/http only strips standard authentication headers, leaving the custom secret headers intact and forwarding them to the redirect target. An attacker who can control or compromise the HubURI domain, or who can induce a redirect (e.g., via an open‑redirect, DNS hijack, or malicious configuration) can cause the client to automatically follow the redirect and exfiltrate the private key. Possession of the private key grants the attacker full authentication to the Kerberos Hub, enabling them to upload fabricated data, impersonate devices, or disrupt service. The business impact includes unauthorized data injection, loss of device integrity, and potential exposure of downstream services that rely on the Hub for secure communication. Exploitation requires that the victim agent be configured with a HubURI that issues a cross‑origin redirect to an attacker‑controlled host, and that the attacker can receive the redirected request.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update go/github.com/kerberos-io/agent/machinery to version 0.0.0-20260528173546-51f1a52e170f.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-h5gx-45rj-2h5j

[/emaillocker]
crossmenu