Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-55f6-4pr5-c7m5: Kahi has privilege-drop and socket/log permission issues

0
High
Published: 06/30/2026 (06/30/2026, 18:07:44 UTC)
Source: GCVE Database
Product: github.com/kahiteam/kahi

Description

Kahi versions up to and including v0.1.0-alpha.8 have three privilege and permission issues related to improper privilege dropping and socket permissions. These issues allow processes to run with higher privileges than intended and expose FastCGI unix sockets to unauthorized local users. The issues are fixed in version v0.1.0-alpha.9, which enforces fail-closed privilege handling and restricts socket permissions by default.

Affected software

Goghsa
github.com/kahiteam/kahi
Affected versions
<0.1.0-alpha.9

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:52:31 UTC

Technical Analysis

Kahi releases up to v0.1.0-alpha.8 have three security issues: (1) a high-severity flaw where per-process privilege drop was not applied, causing child processes to run with the supervisor's privileges (often root) instead of the configured lower-privilege user; (2) a medium-severity issue where supplementary groups were not reset during privilege drop, allowing inherited elevated group privileges; and (3) a medium-severity issue where FastCGI unix sockets were world-accessible by default unless an explicit restrictive socket_mode was set. These issues were identified in a full codebase security review and fixed in v0.1.0-alpha.9 by enforcing fail-closed privilege handling, resetting supplementary groups, and defaulting FastCGI socket permissions to 0700.

Potential Impact

Processes intended to run with reduced privileges may instead run with elevated privileges, increasing the risk of privilege escalation. Supplementary groups with elevated permissions remain active after privilege drop, potentially granting unintended access. FastCGI unix sockets being world-accessible by default allow any local user to connect, potentially exposing sensitive services or data.

Mitigation Recommendations

Upgrade to Kahi version v0.1.0-alpha.9, which fixes all identified privilege and permission issues by enforcing privilege drops or refusing to start, resetting supplementary groups, and setting restrictive default socket permissions. For versions <= v0.1.0-alpha.8, workarounds include running the supervisor as the intended unprivileged user instead of relying on per-process user configuration, explicitly setting restrictive socket_mode on FastCGI programs, and avoiding running the supervisor as root where possible.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-55f6-4pr5-c7m5
Osv Schema Version
1.4.0
Aliases
[]
Ecosystems
["Go"]
Database Specific Severity
HIGH
Cvss Version
null

Threat ID: 6a4452e927e9c797198e1aa0

Added to database: 06/30/2026, 23:36:09 UTC

Last enriched: 06/30/2026, 23:52:31 UTC

Last updated: 06/30/2026, 23:52:31 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses