CVE-2026-52880

HIGHPre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 84% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

klever-go: REST API slow-header connection exhaustion via Gin Engine.Run

Summary

The Klever seednode REST API starts a Gin engine with Engine.Run(restAPIInterface). In Gin v1.9.1, Engine.Run calls Go's default http.ListenAndServe, which constructs an HTTP server without application-level ReadHeaderTimeout, ReadTimeout, or MaxHeaderBytes limits.

An unauthenticated client that can reach a REST listener bound with Klever's documented --rest-api-interface :8080 all-interface option can hold incomplete HTTP headers open indefinitely. In a local proof against the real cmd/seednode/api.Start path on v1.7.17, 120 slow-header connections caused 20/20 legitimate /log probes to fail with accept: too many open files. A fixed control using the same Gin router behind an explicit http.Server with ReadHeaderTimeout, ReadTimeout, and MaxHeaderBytes retained 0 slow connections and served 20/20 probes.

This report is distinct from the P2P advisories and from my direct-message goroutine report. This finding concerns Klever-owned HTTP REST startup code (cmd/seednode/api and network/api) using Gin Engine.Run without server-level header deadlines. It does not depend on MultiDataInterceptor, Batch.Decompress, libp2p, malformed P2P messages, or direct-message goroutine spawning.

Details

Seednode REST API, latest release v1.7.17:

  • cmd/seednode/api/api.go:17 defines Start(restAPIInterface, marshalizer).
  • cmd/seednode/api/api.go:18 creates ws := gin.Default().
  • cmd/seednode/api/api.go:23 returns ws.Run(restAPIInterface).
  • cmd/seednode/CLI.md:23 documents --rest-api-interface; it says :8080 binds all interfaces and off disables the API.

Node REST API, latest release v1.7.17:

  • network/api/api.go:79 creates ws = gin.Default().
  • network/api/api.go:98 returns ws.Run(kleverFacade.RestAPIInterface()).
  • cmd/node/main.go:147-150 documents the same --rest-api-interface flag and says :8080 binds all interfaces.
  • docker/README.md:56-61 and docker/README.md:67-70 publish host port 8080 for full-node and validator Docker examples.
  • README.md:264-268 documents that the node exposes a REST API for blockchain queries and operations.

The seednode REST API source is byte-identical across v1.7.14 through v1.7.17; the captured runtime PoC was executed on v1.7.17.

Current develop commit 10bcfd50 remains affected:

  • network/api/api.go:98 still returns ws.Run(kleverFacade.RestAPIInterface()).
  • cmd/seednode/api/api.go:59 still returns ws.Run(restAPIInterface).

Gin v1.9.1 implements Engine.Run as:

func (engine *Engine) Run(addr ...string) (err error) {
    address := resolveAddress(addr)
    err = http.ListenAndServe(address, engine.Handler())
    return
}

In my source sweep, I did not find a production http.Server{ReadHeaderTimeout: ...} wrapper for either REST start path. The only ReadHeaderTimeout hit I found in the repository was a test helper under network/api/websocket/routes_test.go.

PoC

GitHub Private Vulnerability Reporting does not appear to allow file attachments in this form, so I am including the reproduction command and captured output inline. I can paste the full 254-line Go test patch in a reply immediately if useful.

The test starts two local child servers:

  • Vulnerable: the real cmd/seednode/api.Start path.
  • Fixed control: the same Gin router served through http.Server{ReadHeaderTimeout: 250ms, ReadTimeout: 250ms, MaxHeaderBytes: 4096}.

Reproduction from a clean checkout:

git clone https://github.com/klever-io/klever-go
cd klever-go
git checkout v1.7.17

Apply the PoC patch to cmd/seednode/api.

I can provide the full patch in this advisory thread.

go test ./cmd/seednode/api -run TestPoC_SeednodeAPISlowlorisDifferential -count=1 -v -timeout 60s

Captured output on v1.7.17:

POC_RESULT mode=vulnerable slow_connections_opened=120 slow_connections_still_open=111 legitimate_probe_ok=0 legitimate_probe_fail=20
POC_RESULT mode=fixed slow_connections_opened=120 slow_connections_still_open=0 legitimate_probe_ok=20 legitimate_probe_fail=0

The vulnerable server also logs repeated accept failures:

http: Accept error: accept tcp 127.0.0.1:56415: accept: too many open files; retrying in 1s

Impact

For an externally reachable Klever REST listener, a single unauthenticated client can retain many server-side connections by never completing HTTP headers. Because the Go server has no read-header deadline, those connections persist until the client closes them or an external proxy/firewall intervenes.

The direct result is REST API unavailability for legitimate clients. The local proof demonstrates this as 0/20 legitimate /log probes succeeding while the vulnerable server is saturated, versus 20/20 succeeding with the fixed server wrapper.

I am not claiming default public internet exposure. The default bind is localhost:8080. The affected condition is a REST API listener exposed through Klever's documented all-interface bind or Docker port-publish deployment shape.

This maps to the SECURITY.md High category: "Denial of Service affecting network availability." If Klever treats externally reachable REST API unavailability as non-critical because the default bind is localhost, the conservative classification is Medium under "Performance degradation attacks" / "Non-critical DoS vectors."

All testing was local loopback only. I did not contact Klever mainnet, public testnet, hosted RPCs, explorers, or third-party production infrastructure.

Suggested fix:

Start both REST APIs through explicit http.Server values instead of Engine.Run, for example:

srv := &http.Server{
    Addr:              restAPIInterface,
    Handler:           ws.Handler(),
    ReadHeaderTimeout: 5 * time.Second,
    ReadTimeout:       10 * time.Second,
    WriteTimeout:      30 * time.Second,
    IdleTimeout:       120 * time.Second,
    MaxHeaderBytes:    32 << 10,
}
return srv.ListenAndServe()

Apply the same pattern to:

  • cmd/seednode/api.Start
  • network/api.Start

If Klever expects deployments to expose the REST API through a reverse proxy, I still recommend setting server-level limits in the application. That keeps the binary safe when operators use the documented direct bind or Docker port-publish path.

CVSS v3
7.5
EG Score
7.5(low)
EPSS
16.0%
KEV
Not listed

Published

June 5, 2026

Last Modified

June 5, 2026

Vendor Advisories for CVE-2026-52880(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/klever-io/klever-go1.7.18

Data Freshness Timeline

(refreshed 10× in last 7d / 52× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-05 18:33 UTCEG score recompute
  2. 2026-07-04 20:35 UTCEG score recompute
  3. 2026-07-03 21:21 UTCEG score recompute
  4. 2026-07-03 09:45 UTCEG score recompute
  5. 2026-07-02 18:53 UTCEG score recompute
  6. 2026-07-02 07:27 UTCEG score recompute
  7. 2026-07-01 19:49 UTCEG score recompute
  8. 2026-07-01 08:22 UTCEG score recompute
  9. 2026-06-30 20:55 UTCEG score recompute
  10. 2026-06-30 09:13 UTCEG score recompute
  11. 2026-06-29 21:43 UTCEG score recompute
  12. 2026-06-29 10:17 UTCEG score recompute
  13. 2026-06-28 22:51 UTCEG score recompute
  14. 2026-06-28 11:25 UTCEG score recompute
  15. 2026-06-27 23:59 UTCEG score recompute
  16. 2026-06-27 12:33 UTCEG score recompute
  17. 2026-06-27 01:04 UTCEG score recompute
  18. 2026-06-26 13:02 UTCEG score recompute
  19. 2026-06-25 20:26 UTCEG score recompute
  20. 2026-06-25 08:59 UTCEG score recompute
  21. 2026-06-24 21:33 UTCEG score recompute
  22. 2026-06-24 08:26 UTCEG score recompute
  23. 2026-06-23 17:31 UTCEG score recompute
  24. 2026-06-23 02:15 UTCEG score recompute
  25. 2026-06-22 14:33 UTCEG score recompute
Show 27 more
  1. 2026-06-21 03:45 UTCEG score recompute
  2. 2026-06-20 11:01 UTCEG score recompute
  3. 2026-06-19 23:34 UTCEG score recompute
  4. 2026-06-19 11:25 UTCEG score recompute
  5. 2026-06-18 21:13 UTCEG score recompute
  6. 2026-06-18 09:44 UTCEG score recompute
  7. 2026-06-17 21:47 UTCEG score recompute
  8. 2026-06-17 10:22 UTCEG score recompute
  9. 2026-06-16 22:54 UTCEG score recompute
  10. 2026-06-16 11:29 UTCEG score recompute
  11. 2026-06-16 00:03 UTCEG score recompute
  12. 2026-06-15 12:36 UTCEG score recompute
  13. 2026-06-15 01:08 UTCEG score recompute
  14. 2026-06-14 23:18 UTCEPSS rescore
  15. 2026-06-14 13:41 UTCEG score recompute
  16. 2026-06-14 02:14 UTCEG score recompute
  17. 2026-06-13 23:00 UTCEPSS rescore
  18. 2026-06-13 14:48 UTCEG score recompute
  19. 2026-06-13 03:21 UTCEG score recompute
  20. 2026-06-12 23:12 UTCEPSS rescore
  21. 2026-06-12 15:55 UTCEG score recompute
  22. 2026-06-12 04:28 UTCEG score recompute
  23. 2026-06-11 17:02 UTCEG score recompute
  24. 2026-06-11 05:36 UTCEG score recompute
  25. 2026-06-10 18:10 UTCEG score recompute
  26. 2026-06-10 06:45 UTCEG score recompute
  27. 2026-06-09 19:19 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-52880?
CVE-2026-52880 is a high vulnerability published on June 5, 2026. klever-go: REST API slow-header connection exhaustion via Gin Engine.Run Summary The Klever seednode REST API starts a Gin engine with Engine.Run(restAPIInterface). In Gin v1.9.1, Engine.Run calls Go's default http.ListenAndServe, which constructs an HTTP server without application-level…
When was CVE-2026-52880 disclosed?
CVE-2026-52880 was first published in the National Vulnerability Database on June 5, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-52880 actively exploited?
CVE-2026-52880 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 16.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-52880?
CVE-2026-52880 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-52880?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52880, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-52880

Explore →

Is Your Infrastructure Affected by CVE-2026-52880?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.