go1.26.2 (released 2026-04-07) includes security fixes to the go command, the compiler, and the archive/tar, crypto/tls, crypto/x509, html/template, and os packages, as well as bug fixes to the go command, the go fix command, the compiler, the linker, the runtime, and the net, net/http, and net/url packages. See the Go 1.26.2 milestone on our issue tracker for details; - https://github.com/golang/go/issues?q=milestone%3AGo1.26.2+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.26.1...go1.26.2 From the security announce: We have just released Go versions 1.26.2 and 1.25.9, minor point releases. These releases include 10 security fixes following the security policy: - os: Root.Chmod can follow symlinks out of the root on Linux On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod could operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. On Linux, Root.Chmod now uses the fchmodat2 syscall when available, and an workaround using /proc/self/fd otherwise. Thanks to Uuganbayar Lkhamsuren for reporting this issue. This is CVE-2026-32282 and Go issue https://go.dev/issue/78293. - html/template: JS template literal context incorrectly tracked Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. This only affects templates that use template actions within JS template literals. This is CVE-2026-32289 and Go issue https://go.dev/issue/78331. - crypto/x509: excluded DNS constraints not properly applied to wildcard domains When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. For example, if a certificate contains the DNS name "*.example.com" and the excluded DNS name "EXAMPLE.COM", the constraint will not be applied. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. This issue only affects Go 1.26. Thank you to Riyas from Saintgits College of Engineering, k1rnt, @1seal for reporting this issue. This is CVE-2026-33810 and Go issue https://go.dev/issue/78332. - cmd/compile: no-op interface conversion bypasses overlap checking Previously, the compiler failed to unwrap pointers contained within a no-op interface conversion leading to an incorrect determination of a non-overlapping move. To prevent unsafe move operations, the compiler will now unwrap all such conversions before considering a move non-overlapping. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-27144 and Go issue https://go.dev/issue/78371. - cmd/compile: possible memory corruption after bound check elimination Previously, slices and arrays accessed using induction variables were sometimes incorrectly proved in-bound. If the induction variable used for indexing were to overflow or underflow, it could allow access to memory beyond the scope of the original slice or array. To prevent this behavior, the compiler ensures that any mutated induction variable that overflows/underflows with respect to its loop condition is not used for bound check elimination. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-27143 and Go issue https://go.dev/issue/78333. - archive/tar: unbounded allocation when parsing old format GNU sparse map tar.Reader could allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. We now limit both the number of old GNU sparse map extension blocks, and the total number of sparse file entries, regardless of encoding. Thanks to Colin Walters (wal...@verbum.org) who initially reported this issue. Thanks also to Uuganbayar Lkhamsuren (https://github.com/uug4na) and Jakub Ciolek who additionally reported this issue. This is CVE-2026-32288 and Go issue https://go.dev/issue/78301. - crypto/tls: multiple key update handshake messages can cause connection to deadlock If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32283 and Go issue https://go.dev/issue/78334. - cmd/go: trust layer bypass when using cgo and SWIG A well-crafted SWIG source file could take advantage of a file-naming convention used inside the trust boundary of the cgo compiler. Doing so could result in arbitrary code execution during build time. SWIG files are disallowed from using this convention. Thank you to Juho Forsén of Mattermost for reporting this issue. This is CVE-2026-27140 and Go issue https://go.dev/issue/78335. - crypto/x509: unexpected work during chain building During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32280 and Go issue https://go.dev/issue/78282. - crypto/x509: inefficient policy validation Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32281 and Go issue https://go.dev/issue/78281. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Engine API
The Engine API is an HTTP API used by the command-line client to communicate with the daemon. It can also be used by third-party software to control the daemon.
It consists of various components in this repository:
api/swagger.yamlA Swagger definition of the API.api/types/Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See #27919 for progress on this.client/The Go client used by the command-line client. It can also be used by third-party Go programs.daemon/The daemon, which serves the API.
Swagger definition
The API is defined by the Swagger definition in api/swagger.yaml. This definition can be used to:
- Automatically generate documentation.
- Automatically generate the Go server and client. (A work-in-progress.)
- Provide a machine readable version of the API for introspecting what it can do, automatically generating clients for other languages, etc.
Updating the API documentation
The API documentation is generated entirely from api/swagger.yaml. If you make updates to the API, edit this file to represent the change in the documentation.
Documentation for each API version can be found in the docs directory, which also provides a CHANGELOG.md.
The file is split into two main sections:
definitions, which defines re-usable objects used in requests and responsespaths, which defines the API endpoints (and some inline objects which don't need to be reusable)
To make an edit, first look for the endpoint you want to edit under paths, then make the required edits. Endpoints may reference reusable objects with $ref, which can be found in the definitions section.
There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the Swagger specification.
swagger.yaml is validated by hack/validate/swagger to ensure it is a valid Swagger definition. This is useful when making edits to ensure you are doing the right thing.
Viewing the API documentation
When you make edits to swagger.yaml, you may want to check the generated API documentation to ensure it renders correctly.
Run make swagger-docs and a preview will be running at http://localhost:9000. Some of the styling may be incorrect, but you'll be able to ensure that it is generating the correct documentation.
The production documentation is generated by vendoring swagger.yaml into docker/docs.