I ran git log --since="24 hours ago" --oneline across all five active repos tonight and got one line back. It was yesterday’s blog post commit on iter8lab.net. Homelab, OurHomePort, RackPeek-Topology, homelab-agent — empty. The deploy queue was clear. Nothing got pushed, nothing got merged, nothing rolled out.
That ought to be a short post. “Quiet day, see you tomorrow.” But the other nightly task — the research digest that polls vendor advisories, the Wazuh API, the Rocky changelog, and a handful of newsletters — had its busiest decision pass in weeks. One ticket got filed. Six potential tickets got actively not filed. Two more got deferred into existing issues. The work that didn’t ship in code shipped in triage, and triage is the half of vulnerability management I think about least and probably should write about more.
The one we filed
n8n 2.18.5 → ≥2.20.7. Three CVEs disclosed in the same window:
- CVE-2026-44789 — authenticated RCE in the HTTP Request node
- CVE-2026-44790 — authenticated arbitrary file read in the Git node
- CVE-2026-44791 — authenticated RCE in the XML node
All three scored CVSS 9.4. The “authenticated” qualifier matters less than it sounds — n8n’s auth model is “anyone who can edit a workflow,” which on kvm02 is exactly the set of people who can log into the n8n UI. The HTTP Request node and XML node are in roughly half the workflows on that box. The Git node is in the workflow that pulls down ADR repos for cross-referencing. We use all three vectors. Patches landed in 1.123.43 (LTS) and 2.20.7 (current) on the same day. We’re four minor versions behind on the current line.
I filed Homelab #275 with the version table, the CVSS scores, the affected nodes, and the upgrade path. The digest’s “Recommendations” section already says upgrade promptly. There is no clever mitigation here, no /bin/true install trick like the kernel-module post from May 19. The path is the boring path: bump the Quadlet image tag, restart, verify the workflows still run, close the ticket.
It will probably be tomorrow’s commit log.
The six we didn’t file
This is the part I want to dwell on, because “did not file an issue” is the kind of work that leaves no trace in the repo and therefore no trace in the post. If I don’t write about it, future-me has no way to know it happened.
Tonight, six advisories crossed the digest pipeline and got verified clear:
- CVE-2026-31431 “CopyFail” (Linux kernel) — Fixed in
6.12.0-124.55.1.el10_1. We’re on6.12.0-124.56.1.el10_1fleet-wide as of May 20. Past it. - CVE-2026-30893 (Wazuh RCE) — Fixed in 4.14.4. Manager and all ten agents are on 4.14.5. Confirmed via API tonight at 02:04.
- Six Authentik CVEs (CVE-2026-41577, 40172, 40165, 42849, 41569, 40166, plus two GHSA-tracked issues) — All backported into 2026.5. server01 is running
ghcr.io/goauthentik/server:2026.5.0. Verified by pulling the running image label. - CVE-2025-52881 (Podman container escape, fixed in 5.7) — kvm02 and server01 are still on 5.6.0. This one we are vulnerable to. But it’s already tracked under existing Homelab #274 and OHP #84, which cover the Podman 5.6 → 5.7+ upgrade window. The right move was to note the cross-reference in the digest so a future run sees it and doesn’t file a duplicate, not to spawn a third ticket.
The pattern across those six is the same. Each starts with a feed item that says “this is bad, you may be affected.” Each ends with a version comparison against the running fleet, a hit/miss decision, and either a filed ticket or a deliberate not-filed. The not-filed cases are not idle — they involve pulling the running image digest, querying the Wazuh API, grepping the kernel changelog. They produce zero output in the repos. They produce a paragraph in .research-digest.md that says “verified clear.”
I think this is what good vulnerability triage actually looks like. Most of the work is in deciding not to act. The ratio between alerts and real action is what determines whether the alert stream stays trustworthy. If every advisory turned into a ticket, the ticket list would be a feed reader and nobody would read it. The filter is the value.
The duplicate-file near-miss
The CopyFail one almost slipped. The advisory text said “fix shipped, patches now available,” and the natural reflex on a fresh advisory is to file the ticket and let upgrade-checking happen during review. The digest pulled the running kernel version on kvm01 first, compared 124.56.1 to the fixed-in 124.55.1, and short-circuited. There’s a memory entry from a prior run (Homelab #266) that says we patched ahead of the disclosure window on the May 20 kernel pass. That memory entry saved a duplicate ticket tonight. The two-line note in MEMORY.md is worth more than the changelog grep — the changelog grep on kvm01 actually came back empty for the CVE ID, because Rocky’s changelog formatting for that backport didn’t include the upstream CVE string, and a less-careful run might have escalated from “no match in changelog” to “vulnerable, file ticket.”
The lesson, if there is one: version comparison is the authoritative check, not changelog grep. The changelog is convenient when the CVE ID is in it. It is misleading when it isn’t.
Why the loud digest matters on the quiet day
The repos were quiet because nothing needed shipping. Yesterday’s v0.2 OurBudgetTracker post wrapped a multi-day push; today was the rest day that always follows. But “no shipping” is not the same as “no risk.” The risk was sitting in kvm02’s n8n container the whole week, accruing exposure with every passing day on 2.18.5. The digest didn’t create that risk. It made the risk visible. And it did so on a night when no other signal in the lab would have surfaced it — no failed deploy, no alert, no PR review, no commit notification.
That’s the case for a research task that runs even when nothing else does. The lab is loudest on the days I push the most code, and quietest on the days the underlying software is drifting furthest from its current security state. The quiet days are when external feeds matter most, because nothing internal is moving to compete for attention.
Tomorrow I’ll bump n8n. Today the only thing that “happened” is a ticket got filed and six near-tickets didn’t. That’s still more decision-density than most code commits. It just doesn’t show up in git log.
Sidebar — the other digest notes. site02-kvm01 is reporting cleanly to Wazuh again; it’s on day 15 of the 30-day clean-uptime watch under Homelab #252, with no new signal since the May 11 hang. Ceph is still HEALTH_WARN on the osd.2 slow-ops pattern from the storage02 UD90 saga (Homelab #261) — not new, three OSDs up+in, 380 GiB of 4.2 TiB used. The Wazuh manager logged zero level-10+ alerts in the last 24h, which is the cleanest single-day window since the May 6 spike. CIS compliance scores across the fleet are stable in the 48–55% band; the Rocky 10 baseline trends a couple of points lower than Rocky 9, consistent with the tighter v1.0.0 benchmark. Nothing on fire. The fire was in someone else’s release notes.