CAPACITY PRIVATE CLOUD - SECURITY BULLETIN - 19th Feb 2026

CVE-2025-68121 - Go TLS Session Resumption Vulnerability

Published: February 2026

Severity:  Not Applicable to Production Deployments

Status:    Remediation Scheduled

OVERVIEW

CVE-2025-68121 is a vulnerability in Go's TLS session resumption handling, present in Go versions prior to 1.26.0. Image scanning tools may flag this CVE in LumenVox/Capacity Private Cloud container images released in version 7.0.0. This bulletin provides our assessment and guidance for customers.

PRODUCTION IMPACT: NONE

This vulnerability does not affect production Kubernetes deployments. The vulnerability requires active TLS connections to be exploitable. In our standard deployment configuration:

  • TLS is disabled by default (TLS_ENABLED=false)

  • The HTTPS server endpoint is not started when TLS is disabled

  • TLS termination, when required, occurs at the ingress controller level

The optional HTTPS endpoint (port 9181) exists for internal development and testing purposes and is not exposed in production configurations.

REMEDIATION TIMELINE

An update to a patched Go version (1.26.0+) will be included in the next scheduled release. Given the non-applicability to production configurations, this is being addressed as a routine maintenance update.

REFERENCES

NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-68121



Was this article helpful?
Copyright (C) 2001-2026, Ai Software, LLC d/b/a LumenVox