Vulnerability Reportthanosio/thanos:main-2026-06-15-7137547

thanosio/thanos:main-2026-06-15-7137547

DIGESTsha256:8976e56504bf988e1b197662e6e04d6f87771a19c182733cee160370468827bf

Executive Summary

Threat ScoreNEEDS ATTENTION• Image from reliable community (75M+ pulls) but contains 25 exposed vulnerabilities.• Two high-severity DoS vulnerabilities (CVE-2026-42154, CVE-2026-33814) with severity 6.38.• Both vulnerabilities are remotely exploitable without authentication, enabling denial of service.• No critical data exposure or code execution risks present.• Remediation advised to reduce attack surface and improve availability.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (75M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. There are 25 exposed vulnerabilities, with two high-severity DoS flaws (CVE-2026-42154 and CVE-2026-33814) that can be exploited remotely without authentication to cause memory exhaustion or infinite loop, leading to denial of service. The image is from a reputable community publisher and is pinned by digest, ensuring integrity. While no data compromise is possible, service availability could be impacted. Upgrading to patched versions of the underlying Go libraries is advised.

Vulnerabilities

Vulnerability Log

31 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42154	MEDIUM6.38	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3, 0.305.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33814	MEDIUM6.38	golang.org/x/net v0.49.0 fixed in 0.53.0	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34986	MEDIUM5.1	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42151	MEDIUM5.1	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-29181	MEDIUM5.1	go.opentelemetry.io/otel v1.39.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39821	MEDIUM4.18	golang.org/x/net v0.49.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40179	MEDIUM4.14	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.2-0.20260410083055-07c6232d159b	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44903	MEDIUM4.14	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39829	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39830	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42508	LOW2.26	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46595	LOW2.17	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46598	LOW1.62	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-2303	NONE0	go.mongodb.org/mongo-driver v1.17.6 fixed in 1.17.7	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-24051	NONE0	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.40.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.40.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable