Kiali 2.11.9 for Red Hat OpenShift Service Mesh 3.1 fixes eight security vulnerabilities: CVE-2025-62718 (Axios SSRF and proxy bypass via improper hostname normalization), CVE-2026-25679 (incorrect IPv6 host literal parsing in net/url), CVE-2026-29074 (SVGO denial of service via XML entity expansion), CVE-2026-29063 (Immutable.js prototype pollution), CVE-2026-33186 (gRPC-Go authorization bypass due to HTTP/2 path validation), CVE-2026-4800 (lodash arbitrary code execution via untrusted template imports), CVE-2026-34986 (Go JOSE denial of service via crafted JWE object), and CVE-2026-40175 (Axios remote code execution via prototype pollution escalation). These vulnerabilities affect the Kiali observability component used in Red Hat OpenShift Service Mesh 3.1, which helps visualize and manage service mesh topologies and metrics. The update is provided as RPM packages by Red Hat Product Security under advisory RHSA-2026:8490.

The vulnerabilities collectively pose critical risks including server-side request forgery, proxy bypass, denial of service, arbitrary and remote code execution, authorization bypass, and prototype pollution. Exploitation could allow attackers to bypass security controls, execute arbitrary code remotely, cause service disruptions, or escalate privileges within the affected Kiali component. Given Kiali's role in managing service mesh observability, successful exploitation could impact the security and reliability of service mesh environments managed via Red Hat OpenShift Service Mesh 3.1.

Red Hat has released Kiali version 2.11.9 for OpenShift Service Mesh 3.1 that addresses these vulnerabilities. Users should update to this version promptly to mitigate the risks. The advisory RHSA-2026:8490 provides the updated RPM packages and detailed instructions. Since this is not a cloud service, remediation requires applying the update manually. There are no indications that these vulnerabilities are already mitigated or require no action. Patch status is confirmed by the vendor advisory.