GHSA-55F6-4PR5-C7M5
Vulnerability from github – Published: 2026-06-30 18:07 – Updated: 2026-06-30 18:07Kahi releases up to and including v0.1.0-alpha.8 contain three privilege/permission issues, all fixed in v0.1.0-alpha.9. They were identified in a full-codebase security review on 2026-05-26.
Affected versions
All releases <= v0.1.0-alpha.8.
Patched version
v0.1.0-alpha.9.
Details
1. Per-process privilege drop not applied (High)
A process configured with user = "uid:gid" had its credential resolved but never attached to the spawned child, so the process ran with the supervisor's inherited privileges (root, when the supervisor runs as root) instead of the configured lower-privilege user. The intended privilege isolation did not occur, and no error was raised.
2. Privilege drop did not reset supplementary groups (Medium)
When the daemon dropped privileges it set the primary gid and uid but never called setgroups(2), so the launching user's supplementary groups (for example docker, which is root-equivalent) remained active after the drop and were inherited by child processes.
3. FastCGI unix socket world-accessible by default (Medium)
A FastCGI unix-domain socket was chmod-ed only when socket_mode was explicitly configured. With socket_mode unset the socket kept the umask-dependent default (commonly world-accessible), allowing any local user to connect to it.
Remediation
Upgrade to v0.1.0-alpha.9. Privilege handling is now fail-closed: the configured credential is applied or the process refuses to start, supplementary groups are reset via setgroups before setgid/setuid, and FastCGI unix sockets default to 0700.
Workarounds (for <= v0.1.0-alpha.8)
- Do not rely on per-process
user; run the supervisor directly as the intended unprivileged user. - Set an explicit restrictive
socket_modeon FastCGI programs. - Avoid running the supervisor as root where possible.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.0-alpha.8"
},
"package": {
"ecosystem": "Go",
"name": "github.com/kahiteam/kahi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.0-alpha.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-271",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:07:44Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Kahi releases up to and including v0.1.0-alpha.8 contain three privilege/permission issues, all fixed in v0.1.0-alpha.9. They were identified in a full-codebase security review on 2026-05-26.\n\n## Affected versions\nAll releases \u003c= v0.1.0-alpha.8.\n\n## Patched version\nv0.1.0-alpha.9.\n\n## Details\n\n### 1. Per-process privilege drop not applied (High)\nA process configured with `user = \"uid:gid\"` had its credential resolved but never attached to the spawned child, so the process ran with the supervisor\u0027s inherited privileges (root, when the supervisor runs as root) instead of the configured lower-privilege user. The intended privilege isolation did not occur, and no error was raised.\n\n### 2. Privilege drop did not reset supplementary groups (Medium)\nWhen the daemon dropped privileges it set the primary gid and uid but never called setgroups(2), so the launching user\u0027s supplementary groups (for example `docker`, which is root-equivalent) remained active after the drop and were inherited by child processes.\n\n### 3. FastCGI unix socket world-accessible by default (Medium)\nA FastCGI unix-domain socket was chmod-ed only when `socket_mode` was explicitly configured. With `socket_mode` unset the socket kept the umask-dependent default (commonly world-accessible), allowing any local user to connect to it.\n\n## Remediation\nUpgrade to v0.1.0-alpha.9. Privilege handling is now fail-closed: the configured credential is applied or the process refuses to start, supplementary groups are reset via setgroups before setgid/setuid, and FastCGI unix sockets default to 0700.\n\n## Workarounds (for \u003c= v0.1.0-alpha.8)\n- Do not rely on per-process `user`; run the supervisor directly as the intended unprivileged user.\n- Set an explicit restrictive `socket_mode` on FastCGI programs.\n- Avoid running the supervisor as root where possible.",
"id": "GHSA-55f6-4pr5-c7m5",
"modified": "2026-06-30T18:07:44Z",
"published": "2026-06-30T18:07:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kahiteam/kahi/security/advisories/GHSA-55f6-4pr5-c7m5"
},
{
"type": "PACKAGE",
"url": "https://github.com/kahiteam/kahi"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Kahi has privilege-drop and socket/log permission issues"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.