Overview
This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.
Vulnerability Details
- CVE ID: CVE-2026-39882
- Dependency Name: prometheus-metrics
- Affected Version of Dependency: < 4.1.132, < 4.2.10
- Severity Score: CVSS:3.1 = 5.3 Medium
Affected Versions of DPGW
- 1.13.13-REL – 1.13.17-REL
Risk Assessment & Applicability
Usage
DPGW utilizes prometheus-metrics for providing observability metrics to be scraped by Grafana Alloy.
Analysis
CVE-2026-39882
Status
Affected
Severity Score in the context of DPGW: 0.9 LowCVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Impact on DPGW
If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
As metrics endpoint should be always accessible only from local network attacker would need to controll Grafana Alloy installed on the server. This put other requirements for the attack, therefore the risk is low.
Remediation & Mitigations
Scheduled fix
Update to: 1.13.18-REL (scheduled to middle of April 2026) or newer
User Actions
Check if /metrics endpoint is enabled only for connectors accessible by local connection only. Configuration: /dpgw/modules/module[@name='Monitoring']/parameters/@web-connectors should not contain “*” or publicly accessible connectors.