Lucene search
K

CVE-2026-41185

🗓️ 28 May 2026 15:47:42Reported by TigeraType 
cve
 cve
🔗 web.nvd.nist.gov👁 26 Views🌐 WEB

Calico with Azure IPAM logs disclose ServiceAccount tokens and credentials in plaintext in cni.log.

Related
Detection
Affected
Refs
Paths
NVD
CNA
Node
tigeracalicoRange<3.21.7enterprise
OR
tigeracalicoRange<3.32.0open_source
OR
tigeracalicoRange<22.4.0cloud
OR
tigeracalicoRange3.22.03.22.3enterprise
[
  {
    "vendor": "Tigera",
    "product": "Calico",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.32.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "affected"
  },
  {
    "vendor": "Tigera",
    "product": "Calico Enterprise",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.21.7",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.22.0",
        "lessThan": "3.22.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "affected"
  },
  {
    "vendor": "Tigera",
    "product": "Calico Cloud",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "22.4.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "affected"
  }
]
ParameterPositionPathDescriptionCWE
stdinDatapath/var/log/calico/cni/cni.logLogs contain plaintext credentials (service account token, client key, CA) from CNI config when Azure IPAM is used, enabling credential leakage on node access.CWE-532
ServiceAccount tokenpath/var/log/calico/cni/cni.logLogs contain plaintext credentials (service account token, client key, CA) from CNI config when Azure IPAM is used, enabling credential leakage on node access.CWE-532
client keypath/var/log/calico/cni/cni.logLogs contain plaintext credentials (service account token, client key, CA) from CNI config when Azure IPAM is used, enabling credential leakage on node access.CWE-532
certificate authoritypath/var/log/calico/cni/cni.logLogs contain plaintext credentials (service account token, client key, CA) from CNI config when Azure IPAM is used, enabling credential leakage on node access.CWE-532

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jun 2026 10:46Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.16.5
CVSS 46
EPSS0.00323
SSVC
26