Kiali 2.11.10 for Red Hat OpenShift Service Mesh 3.1 fixes eight security vulnerabilities: CVE-2026-32280 (Go denial of service in certificate chain building), CVE-2026-40895 (information disclosure via cross-domain redirects in follow-redirects), and six Axios-related issues (CVE-2026-42033, CVE-2026-42035, CVE-2026-42039, CVE-2026-42041, CVE-2026-42043, CVE-2026-42044) involving prototype pollution leading to HTTP transport hijacking, arbitrary header injection, denial of service, authentication bypass, NO_PROXY bypass, and invisible JSON response tampering. These vulnerabilities affect the observability component of the service mesh, which visualizes mesh topology and metrics. Red Hat has released updated RPM packages for Kiali 2.11.10 to address these issues.

The vulnerabilities collectively could allow attackers to cause denial of service conditions, disclose sensitive information, hijack HTTP transport, inject arbitrary HTTP headers, bypass authentication, and tamper with JSON responses within the Kiali component of Red Hat OpenShift Service Mesh 3.1. This may impact the reliability and security of service mesh observability and management. However, no known exploits in the wild have been reported at this time.

Red Hat has released Kiali version 2.11.10 for OpenShift Service Mesh 3.1 containing fixes for these vulnerabilities. Users should update to this version by applying the updated RPM packages provided by Red Hat. Refer to the official Red Hat advisory RHSA-2026:16532 and Kiali 2.11.10 documentation for detailed upgrade instructions. Since this is not a cloud service, remediation requires user action to update the component. Patch status is confirmed by the vendor advisory.