Daily Tech Veille

ODS Platform — Security, Releases & Trending
2026-04-05 Generated 07:00 UTC | Stack: Rust, PostgreSQL, Redpanda, ClickHouse, React, Tauri, Docker, Coolify, Traefik
8
Total Findings
4
CVEs
2
HIGH / Critical
3
New Releases
1
Trending Repo
2
Immediate Actions

Priority Actions Required

1
Audit all ODS repos: grep package-lock.json for axios@1.14.1 or axios@0.30.4 — North Korean RAT active in the wild
Deadline: TODAY — active supply chain attack
2
SSH srv-staging (35.195.54.220) → verify Traefik 3.6.12 is running: docker exec traefik traefik version
Deadline: TODAY — CVE-2026-33433 targets PostgreSQL STARTTLS via Traefik TCP proxy
3
Run cargo audit in OID, billing-engine, securemail → check for libcrux-ed25519 <= 0.0.6
Deadline: This week — cryptographic key generation flaw (HIGH 8.2)
4
Plan ClickHouse 26.3 LTS upgrade with query compatibility validation (breaking: NOT operator precedence, async inserts defaults)
Deadline: Next sprint
CVE / Security Advisories
CVE HIGH — CRITICAL 9.8 ACTION REQUIRED source →
FIND-20260404-017 — Axios npm Supply Chain Attack (CVE-2026-34841) — North Korean RAT
On March 31, 2026, axios@1.14.1 and axios@0.30.4 were published to npm via a hijacked maintainer account, injecting a cross-platform Remote Access Trojan via a malicious postinstall hook. The RAT (delivered through plain-crypto-js dependency) grants full shell access on macOS, Windows, and Linux. Attributed to Sapphire Sleet / UNC1069 (North Korea). Axios receives ~100M weekly npm downloads. Microsoft and Google both confirmed attribution.

Safe versions: axios@1.14.0 or axios@0.30.3 (or earlier). Unsafe: 1.14.1 and 0.30.4 only.
Action (TODAY): In every ODS repo with a package-lock.json, run: grep -r '"axios"' package-lock.json | grep -E '1\.14\.1|0\.30\.4'. If found, downgrade immediately to 1.14.0. For new code, replace axios with native fetch. Also check node_modules/.package-lock.json for transitive inclusion via @usebruno/cli.
Tags: npm, supply-chain, axios, react, node, critical | Finding: FIND-20260404-017
CVE HIGH — CRITICAL 9.3 VERIFY ON STAGING source →
FIND-20260404-023 — Traefik CVE-2026-33186 + CVE-2026-33433 Patched in 3.6.12
CVE-2026-33186 (CRITICAL 9.3): gRPC-Go path canonicalization flaw allows unauthenticated gRPC requests with malformed :path pseudo-headers to bypass deny rules. Patch in 3.6.12.

CVE-2026-33433: STARTTLS bypass — unauthenticated clients can send a PostgreSQL SSLRequest prelude to bypass Traefik's readTimeout for TCP entrypoints. This is specifically dangerous for ODS because Traefik TCP-proxies PostgreSQL on srv-staging.

Both are patched in Traefik 3.6.12. ODS last-versions.json tracks 3.6.12, but physical deployment on srv-staging has not been confirmed in this session.
Action (TODAY): SSH to srv-staging and run docker exec $(docker ps --filter name=traefik -q) traefik version. If version < 3.6.12, trigger redeploy via Coolify or pull latest image.
CVEs: CVE-2026-33186, CVE-2026-33433 | Tags: traefik, grpc, postgresql, api-gateway | Finding: FIND-20260404-023
RUSTSEC MEDIUM — HIGH 8.2 AUDIT REQUIRED source →
FIND-20260404-018 — RUSTSEC-2026-0075: libcrux-ed25519 All-Zero Key on CSPRNG Failure
libcrux-ed25519 <= 0.0.6 silently generates an all-zero Ed25519 signing key if the CSPRNG fails to produce a non-zero key after 100 attempts. The all-zero key is fully predictable — any attacker can forge signatures. Only triggers on catastrophic RNG failure, but the failure mode is silent and total. Fixed in 0.0.7 (returns an error instead of proceeding).
Action (This Week): Run cargo audit in ~/dev/projects/oid, billing-engine, securemail. If libcrux-ed25519 appears in the dep tree at version <= 0.0.6, update. Also check if ring or rustls transitively depends on it.
Tags: rust, cryptography, ed25519, oid, rustsec | Finding: FIND-20260404-018
CVE MEDIUM — 6.3 PATCHED source →
FIND-20260404-016 — CVE-2026-32695: Traefik Knative Ingress Rule Injection
User-controlled values interpolated into backtick-delimited Traefik router rule expressions without escaping. A backtick in a Knative rules[].hosts[] value can inject additional operators, enabling host restriction bypass in multi-tenant clusters. CVSS 4.0: 6.3 — requires existing cluster privileges. ODS does not use Knative. Fixed in >= 3.6.11 — ODS tracks 3.6.12.
Action: Confirm Traefik 3.6.12 deployment (low urgency, no Knative in use). Covered by the 3.6.12 verification for CVE-2026-33186 above.
CVE: CVE-2026-32695 | Tags: traefik, kubernetes, ingress | Finding: FIND-20260404-016
New Releases
RELEASE HIGH 26.2 → 26.3 LTS source →
FIND-20260404-019 — ClickHouse 26.3 LTS (v26.3.3.20) — Breaking Changes
ClickHouse 26.3 LTS released April 1, 2026. ODS is on 26.2.6.27-stable. Key breaking changes for ODS:
  • Async inserts ON by default — Kafka engine + Redpanda CDC inserts now batched automatically. Deduplication also ON by default for materialized views.
  • NOT operator precedence changed (now matches SQL standard) — may break existing analytics queries or Metabase dashboards relying on old precedence.
  • MySQL date type mapping changed (affects CDC from any MySQL source).
Action (Next Sprint): Deploy 26.3 LTS to staging ClickHouse instance. Re-run all CDC pipeline materialized views and validate Metabase reports. Pay special attention to queries using NOT with NULL checks. Test async insert behavior with Redpanda Kafka engine tables.
Tags: clickhouse, lts, analytics, breaking-change, data-platform | Finding: FIND-20260404-019
RELEASE MEDIUM 2.10.1 → 2.10.3 source →
FIND-20260404-020 — Tauri 2.10.3 — Updater Signing Key Fix
Tauri 2.10.3 (March 4, 2026) is two patch versions ahead of the currently tracked 2.10.1. Fixes include Cargo feature handling, mobile command arguments, and a bug in updater signing key generation. The signing key fix is relevant for DocSign if auto-update is enabled — a broken signing key generation would prevent update distribution.
Action: Update DocSign project's tauri crate to 2.10.3 in Cargo.toml. Run cargo update -p tauri.
Tags: tauri, desktop, docsign, release | Finding: FIND-20260404-020
RELEASE MEDIUM UP TO DATE source →
FIND-20260404-021 — Node.js Security Releases (March 24, 2026) — ODS Current
Coordinated Node.js security releases on March 24 patched 7-9 CVEs across all LTS and Current lines. Affected: SNI callbacks, HTTP headers, crypto, and filesystem modules. ODS tracks v22.22.2 (LTS Jod) — this is the patched version. Node.js v24 LTS (Krypton) is now at v24.14.1 as an upgrade path.
Action: Confirm Node.js v22.22.2 on srv-staging CI environment (node --version). Begin planning migration to Node.js 24 LTS before 22.x EOL.
Tags: nodejs, lts, security, ods-dashboard | Finding: FIND-20260404-021
TRENDING HIGH RELEVANCE 24,203 stars (+71 today) source →
FIND-20260404-022 — RustFS: S3-Compatible Object Storage in Rust (Alpha, Multiple CVEs)
RustFS claims 2.3x faster throughput than MinIO for small objects. Apache 2.0 license, very active development (commit April 4). Potential MinIO replacement for DocStore.

Security concerns (all patched in 1.0.0-alpha.83+):
  • CVE-2026-27822: Stored XSS in console leaks S3 credentials (AccessKeyId, SecretAccessKey, SessionToken) — CVSS 10.0
  • CVE-2026-27607: Missing presigned POST policy validation — HIGH
  • CVE-2025-68926: Hardcoded gRPC authentication token in source code — Critical
Still in alpha (1.0.0-alpha.83). Not production-ready.
Apache-2.0
2026-04-04
3 (patched in alpha.83)
ACTIVE
MEDIUM
USE_WITH_CAUTION
Action: Monitor for stable 1.0 release. Revisit as MinIO replacement candidate for DocStore when production stability is demonstrated.
Tags: rust, s3, object-storage, minio, docstore, alpha | Finding: FIND-20260404-022
Version Tracker
Component Previous Current / Latest Status
Rust (rustc)1.94.11.94.1UP TO DATE
Node.js LTS (Jod)22.22.222.22.2UP TO DATE
ClickHouse26.2.6.27-stable26.3.3.20-ltsUPGRADE NEEDED
Tauri2.10.12.10.3UPDATE AVAILABLE
Traefik3.6.123.6.12VERIFY STAGING
Redpanda26.1.226.1.2UP TO DATE
Coolify4.0.0-beta.4704.0.0-beta.470UP TO DATE
Playwright1.59.11.59.1UP TO DATE
Mermaid11.14.011.14.0UP TO DATE
PostgreSQL17.917.9CVE-2026-2005 OPEN
All Findings Summary
ID Title Type Relevance Action
FIND-20260404-017 Axios npm Supply Chain Attack — RAT (CVE-2026-34841) CVE HIGH TODAY
FIND-20260404-023 Traefik CVE-2026-33186 + 33433 — Patch Verification CVE HIGH TODAY
FIND-20260404-018 RUSTSEC-2026-0075 libcrux-ed25519 Key Flaw CVE MEDIUM This Week
FIND-20260404-016 CVE-2026-32695 Traefik Knative Rule Injection CVE MEDIUM Confirm 3.6.12
FIND-20260404-019 ClickHouse 26.3 LTS — Breaking Changes RELEASE HIGH Next Sprint
FIND-20260404-020 Tauri 2.10.3 — Updater Signing Fix RELEASE MEDIUM Update Cargo.toml
FIND-20260404-021 Node.js Security Releases — ODS Current RELEASE MEDIUM Verify env
FIND-20260404-022 RustFS — S3 Object Storage (Alpha, 3 CVEs) TRENDING HIGH Monitor for 1.0
Generated by ODS Veille Agent | 2026-04-05 07:00 UTC | Findings stored in ~/dev/ops/innovation/findings/2026-04-04/FIND-20260404-016 through FIND-20260404-023