Konghq Konghq

  1. Vendors
  2. Konghq

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Konghq product.

RSS Feeds for Konghq security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Konghq products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Konghq Sorted by Most Security Vulnerabilities since 2018

Konghq Kong Gateway2 vulnerabilities

Konghq Docker Kong1 vulnerability

Konghq Insomnia1 vulnerability

Konghq Kong1 vulnerability

Konghq Multipart1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Konghq. Konghq did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 0 0.00
2023 4 7.18
2022 0 0.00
2021 1 7.50
2020 1 0.00

It may take a day or so for new Konghq vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Konghq Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2023-44487 Oct 10, 2023
HTTP/2 DoS via Stream Reset in nginx The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Kong Gateway
CVE-2023-40299 Oct 04, 2023
Kong Insomnia 2023.4.0 OSX Code Exec via DYLD_INSERT_LIBRARIES Kong Insomnia 2023.4.0 on macOS allows attackers to execute code and access restricted files, or make requests for TCC permissions, by using the DYLD_INSERT_LIBRARIES environment variable.
Insomnia
CVE-2023-2418 Apr 29, 2023
Insufficient Randomness in Konga 2.8.3 Login API (CVE-2023-2418) A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The associated identifier of this vulnerability is VDB-227715.
Kong
CVE-2020-36661 Feb 12, 2023
Kong lua-multipart regex complexity vulnerability 0.5.8 (fixed 0.5.9) A vulnerability was found in Kong lua-multipart 0.5.8-1. It has been declared as problematic. This vulnerability affects the function is_header of the file src/multipart.lua. The manipulation leads to inefficient regular expression complexity. Upgrading to version 0.5.9-1 is able to address this issue. The patch is identified as d632e5df43a2928fd537784a99a79dec288bf01b. It is recommended to upgrade the affected component. VDB-220642 is the identifier assigned to this vulnerability.
Multipart
CVE-2021-27306 Mar 18, 2021
An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.
Kong Gateway
CVE-2020-11710 Apr 12, 2020
An issue was discovered in docker-kong (for Kong) through 2.0.3 An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1. NOTE: The vendor argue that this CVE is not a vulnerability because it has an inaccurate bug scope and patch links. 1) Inaccurate Bug Scope - The issue scope was on Kong's docker-compose template, and not Kong's docker image itself. In reality, this issue is not associated with any version of the Kong gateway. As such, the description stating An issue was discovered in docker-kong (for Kong) through 2.0.3. is incorrect. This issue only occurs if a user decided to spin up Kong via docker-compose without following the security documentation. The docker-compose template is meant for users to quickly get started with Kong, and is meant for development purposes only. 2) Incorrect Patch Links - The CVE currently points to a documentation improvement as a Patch link: https://github.com/Kong/docs.konghq.com/commit/d693827c32144943a2f45abc017c1321b33ff611.This link actually points to an improvement Kong Inc made for fool-proofing. However, instructions for how to protect the admin API were already well-documented here: https://docs.konghq.com/2.0.x/secure-admin-api/#network-layer-access-restrictions , which was first published back in 2017 (as shown in this commit: https://github.com/Kong/docs.konghq.com/commit/e99cf875d875dd84fdb751079ac37882c9972949) Lastly, the hyperlink to https://github.com/Kong/kong (an unrelated Github Repo to this issue) on the Hyperlink list does not include any meaningful information on this topic.
Docker Kong
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.