Vulnerability Reportthanosio/thanos:main-2026-06-17-28de5df

thanosio/thanos:main-2026-06-17-28de5df

DIGESTsha256:a95a77b059bbbbaf9b3fda0674d86e437ea2ff376a07e133afd4c4e8983ebe3b

Executive Summary

Threat ScoreNEEDS ATTENTION• 3 exposed-surface vulnerabilities with severity 6.38, all denial-of-service (CVE-2026-42154, CVE-2026-29181, CVE-2026-33814)• Total of 25 vulnerabilities found, 6 post-exploit findings all low severity (max 2.69)• Image from popular community (75M+ pulls) pinned by digest, trust verdict RELIABLE• No post-exploit vulnerabilities with severity >= 7.0• All top findings are denial-of-service, no data exposure or remote code execution

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (75M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The three denial-of-service vulnerabilities (CVE-2026-42154, CVE-2026-29181, CVE-2026-33814) could allow an unauthenticated remote attacker to crash the Thanos process or exhaust resources via crafted requests. Upgrading to patched versions of prometheus, opentelemetry-go, and golang.org/x/net would fully address these issues.

Vulnerabilities

Vulnerability Log

31 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42154	MEDIUM6.38	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3, 0.305.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-29181	MEDIUM6.38	go.opentelemetry.io/otel v1.39.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33814	MEDIUM6.38	golang.org/x/net v0.49.0 fixed in 0.53.0	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.49.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42151	MEDIUM5.1	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40179	MEDIUM4.14	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.2-0.20260410083055-07c6232d159b	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44903	MEDIUM4.14	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34986	LOW3.83	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39829	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39830	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42508	LOW2.26	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46595	LOW2.17	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46598	LOW1.62	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-2303	NONE0	go.mongodb.org/mongo-driver v1.17.6 fixed in 1.17.7	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-24051	NONE0	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.40.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.40.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable