This release includes 11 security fixes for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Moderate signalUpgrade the Golang runtime to version 1.26.4 and patch multiple critical CVEs listed in the release.
Why it matters: CVE severity is high (severity 95) for ten vulnerabilities; upgrade to Go 1.26.4 resolves them, protecting application security.
Summary
AI summaryUpdates Release Highlights, Changes since v7.15.2, and https://nvd.nist.gov/vuln/detail/CVE-2026-33811 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Address vulnerabilities CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499, CVE-2026-42504, CVE-2026-39823, CVE-2026-39826, CVE-2026-39825, CVE-2026-27145, CVE-2026-42507 Address vulnerabilities CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499, CVE-2026-42504, CVE-2026-39823, CVE-2026-39826, CVE-2026-39825, CVE-2026-27145, CVE-2026-42507 Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Dependency | Critical |
Upgrade Golang runtime to version 1.26.4 Upgrade Golang runtime to version 1.26.4 Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Dependency | Medium |
Bump Go to version 1.26 and migrate reverse proxy handling Bump Go to version 1.26 and migrate reverse proxy handling Source: llm_adapter@2026-06-09 Confidence: high |
— |
Full changelog
Release Highlights
- 🔵 Golang version upgrade to v1.26.4
- Upgrade of all dependencies to their latest versions
- 🕵️♀️ Vulnerabilities have ben addressed
Important Notes
Breaking Changes
Changes since v7.15.2
- #3477 chore(dep): bump go to 1.26 and migrate of reverse proxy handling
Breaking Changes
- Minimum Golang runtime version increased to 1.26.4
Security Fixes
- CVE-2026-33811 — vulnerability addressed
- CVE-2026-33814 — vulnerability addressed
- CVE-2026-39820 — vulnerability addressed
- CVE-2026-39836 — vulnerability addressed
- CVE-2026-42499 — vulnerability addressed
- CVE-2026-42504 — vulnerability addressed
- CVE-2026-39823 — vulnerability addressed
- CVE-2026-39826 — vulnerability addressed
- CVE-2026-39825 — vulnerability addressed
- CVE-2026-27145 — vulnerability addressed
- CVE-2026-42507 — vulnerability addressed
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About oauth2-proxy
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
Related context
Related tools
Related CVEs
- CVE-2026-27145 NVD KEV EPSS
- CVE-2026-33811 NVD KEV EPSS
- CVE-2026-33814 NVD KEV EPSS
- CVE-2026-39820 NVD KEV EPSS
- CVE-2026-39823 NVD KEV EPSS
- CVE-2026-39825 NVD KEV EPSS
- CVE-2026-39826 NVD KEV EPSS
- CVE-2026-39836 NVD KEV EPSS
- CVE-2026-42499 NVD KEV EPSS
- CVE-2026-42504 NVD KEV EPSS
- CVE-2026-42507 NVD KEV EPSS
Beta — feedback welcome: [email protected]