Security Bulletins

Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below:

CVE Description Notes
CVE-2022-27191 allows an attacker to crash a server in certain circumstances involving AddHostKey Kiali does not use the AddHostKey API; furthermore, neither Kiali nor its dependencies import this component. Thus Kiali is not susceptible to this vulnerability.
CVE-2022-1996 Despite the package dependency Kiali is not susceptible to this vulnerability
CVE-2019-1010022 GNU Libc current is affected by: Mitigation bypass. This is a disputed CVE. According to upstream, it is not a security issue. For details, please see and

For Kiali-specific vulnerabilities there will be releases made as needed. At release time a security bulletin will be release as well. For prior bulletins see below: