Edge Manager Red Hat Edge Manager

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Edge Manager.

Recent Red Hat Edge Manager Security Advisories

Advisory Title Published
RHSA-2026:36796 (RHSA-2026:36796) Important: Red Hat Edge Manager Version 1.0.3 Security Update July 8, 2026
RHSA-2026:36651 (RHSA-2026:36651) Red Hat Edge Manager Version 1.0.3 Security Update July 8, 2026
RHSA-2025:3685 (RHSA-2025:3685) Important: Red Hat Edge Manager Version 0.5.1 (Technology Preview) security fixes April 8, 2025

By the Year

In 2026 there have been 36 vulnerabilities in Red Hat Edge Manager with an average score of 7.8 out of ten. Last year, in 2025 Edge Manager had 1 security vulnerability published. That is, 35 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 4.10.

Year Vulnerabilities Average Score
2026 36 7.80
2025 1 3.70

It may take a day or so for new Edge Manager vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Edge Manager Security Vulnerabilities

fast-uri <=3.1.2/4.0.0 Unicode IDN Canonicalization Bug
CVE-2026-13676 7.5 - High - June 29, 2026

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.

Interpretation Conflict

Go crypto/x509 VerifyHostname DNS SAN quadratic overhead
CVE-2026-27145 7.5 - High - June 02, 2026

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Unchecked Input for Loop Condition

golang.org/x/net/idna pre-0.55.0 IDN bug allows silent ASCII/Unicode mix
CVE-2026-39821 8.2 - High - May 22, 2026

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Improper Validation of Unsafe Equivalence in Input

Auth Bypass in golang.org/x/crypto/ssh <0.52.0
CVE-2026-46595 7.1 - High - May 22, 2026

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

AuthZ

KnownHosts Revocation Check Failure in golang.org/x/crypto/ssh<0.52.0
CVE-2026-42508 7.4 - High - May 22, 2026

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Improper Certificate Validation

SSH Agent Constraint-Serialization Bug (v<0.52.0)
CVE-2026-39832 8.7 - High - May 22, 2026

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Improper Preservation of Permissions

SSH Auth PartialSuccessError Permissions Discarded (golang.org/x/crypto/ssh <0.52.0)
CVE-2026-39828 8.8 - High - May 22, 2026

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Improper Preservation of Permissions

go/crypto/ssh CPU DoS via oversized RSA/DSA keys before 0.52
CVE-2026-39829 7.5 - High - May 22, 2026

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Improper Validation of Specified Quantity in Input

Resource Leak in golang.org/x/crypto/ssh <0.52.0 via Global Request Buffers
CVE-2026-39830 7.5 - High - May 22, 2026

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Missing Release of Resource after Effective Lifetime

golang.org/x/crypto/ssh: CertChecker nil callback panic <0.52.0
CVE-2026-39835 7.5 - High - May 22, 2026

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

NULL Pointer Dereference

Go net/mail 1.25.x-1.26.3: ParseAddress/Date CPU/Memory Exhaustion
CVE-2026-39820 7.5 - High - May 07, 2026

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Unchecked Input for Loop Condition

Double-free CVE-2026-33811 via LookupCNAME in Go net (<=1.26.2)
CVE-2026-33811 7.5 - High - May 07, 2026

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

1341

DoS via consumePhrase in Go net/mail RFC 5322 parsing <1.26.3
CVE-2026-42499 7.5 - High - May 07, 2026

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Creation of Immutable Text Using String Concatenation

fast-uri <=3.1.1 URI Normalization Bypass via Percent-Decoded @
CVE-2026-6322 7.5 - High - May 05, 2026

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

Interpretation Conflict

Heap Exhaustion via Unvalidated Len in Prometheus Remote Read (<3.5.3/3.11.3)
CVE-2026-42154 7.5 - High - May 04, 2026

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

Resource Exhaustion

Prometheus OAuth Client Secret Exposure via /-/config (pre 3.5.3/3.11.3)
CVE-2026-42151 7.5 - High - May 04, 2026

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

Information Disclosure

follow-redirects: Auth Header Leak via Cross-Domain Redirects (1.15.x)
CVE-2026-40895 7.5 - High - April 21, 2026

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Information Disclosure

Go lib spdystream <0.5.1 OOM via SPDY frame parsing
CVE-2026-35469 6.5 - Medium - April 16, 2026

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Allocation of Resources Without Limits or Throttling

Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32280 7.5 - High - April 08, 2026

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Allocation of Resources Without Limits or Throttling

Go crypto/tls TLS 1.3 KeyUpdate deadlock DoS (1.25.9 & <1.26.2)
CVE-2026-32283 7.5 - High - April 08, 2026

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Multiple Locks of a Critical Resource

Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810 8.8 - High - April 08, 2026

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Improper Validation of Unsafe Equivalence in Input

Memory-safety flaw in Go pgx pgproto3 component
CVE-2026-33816 8.3 - High - April 07, 2026

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Memory Corruption

Memory-Safety CVE-2026-33815 in pgx/v5 (Go Postgres Driver)
CVE-2026-33815 8.3 - High - April 07, 2026

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Memory Corruption

Lodash <4.18.0 _.template key-names RCE
CVE-2026-4800 8.1 - High - March 31, 2026

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Code Injection

DoS via Exponential Regex Expansion in path-to-regexp 8.4.0
CVE-2026-4926 7.5 - High - March 26, 2026

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Resource Exhaustion

gRPC-Go Auth Bypass (1.79.2) via noncanonical :path
CVE-2026-33186 9.1 - Critical - March 20, 2026

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

AuthZ

flatted <=3.3.0 Recursion Stack Overflow in parse()
CVE-2026-32141 7.5 - High - March 12, 2026

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

Stack Exhaustion

Go <1.26: crypto/x509 Email Constraint Bug
CVE-2026-27137 7.5 - High - March 06, 2026

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Improper Certificate Validation

Go net/url Host Validation Flaw in Parse (v<1.25.8, <1.26.1)
CVE-2026-25679 7.5 - High - March 06, 2026

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Improper Validation of Syntactic Correctness of Input

Prototype Pollution in Immutable.js v<3.8.3/4.3.7/5.1.5 via mergeDeep API
CVE-2026-29063 8.8 - High - March 06, 2026

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Prototype Pollution

CVE-2025-69873: ajv 8.17.1 ReDoS via $data regex injection
CVE-2025-69873 7.5 - High - February 11, 2026

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

ReDoS

Go net/url: MEM BOMB via Unlimited Query Param Count
CVE-2025-61726 7.5 - High - January 28, 2026

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Allocation of Resources Without Limits or Throttling

Prototype Pollution via _.unset/.omit in Lodash 4.17.22
CVE-2025-13465 8.2 - High - January 21, 2026

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Prototype Pollution

ReactRouter @remix-run/router<1.23.2/ReactRouter<7.12.0 OpenURL to JS Exec
CVE-2026-22029 8 - High - January 10, 2026

React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

XSS

React Router createFileSessionStorage path traversal before 7.9.4/2.17.2
CVE-2025-61686 9.1 - Critical - January 10, 2026

React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.

Directory traversal

urllib3 v1.22v2.6.3 Redirect Stream Decompress Bomb (preload_content=False)
CVE-2026-21441 7.5 - High - January 07, 2026

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Data Amplification

CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556 3.7 - Low - August 06, 2025

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

Improper Validation of Specified Type of Input

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Edge Manager or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe