188 matches found
Uptime-Kuma < v1.23.0 - Improper Access Control
Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
EUVD-2026-32966
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma CVE-2026-45021 describes a cross-origin exposure in the default kuma-cp config where CorsAllowedDomains: "." and LocalhostIsAdmin: true enable a browser-based attacker to fetch admin credentials from the control plane. Before versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, a malicious...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
Kuma 安全漏洞
Kuma is a modern service mesh developed by Kuma OpenSource, based on Envoy. It can be run on Kubernetes and VMs, with single- or multi-zone capabilities, across various clouds. There were security vulnerabilities in versions of Kuma before 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. These...
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
GHSA-3VCP-CHFH-F6R2 Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: kots, kuma, flux, cert-manager-cmctl, zarf, helm-push, flux-source-controller, rancher-fleet, cilium-cli...
GHSA-VMX8-MQV2-9GMG vulnerabilities
Vulnerabilities for packages: kots, kuma, flux, cert-manager-cmctl, zarf, helm-push, flux-source-controller, rancher-fleet, cilium-cli...
CVE-2026-35204 vulnerabilities
Vulnerabilities for packages: kots, kuma, flux, cert-manager-cmctl, zarf, helm-push, flux-source-controller, rancher-fleet, cilium-cli...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: kots, kuma, flux, cert-manager-cmctl, zarf, helm-push, flux-source-controller, rancher-fleet, cilium-cli...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: tw, envoy-gateway, helm-mapkubeapis, chart-testing, helm-docs, istio, k8ssandra-client, kubescape, zot, zarf, tigera-operator, helm-operator, helm-set-status, linkerd2, headlamp, cluster-api-helm-controller, cert-manager-cmctl, kube-arangodb, kots, harbor, kuma, k9s,...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: tw, envoy-gateway, helm-mapkubeapis, chart-testing, helm-docs, istio, k8ssandra-client, kubescape, zot, zarf, tigera-operator, helm-operator, helm-set-status, linkerd2, headlamp, cluster-api-helm-controller, cert-manager-cmctl, kube-arangodb, kots, harbor, kuma, k9s,...
CVE-2026-35204 vulnerabilities
Vulnerabilities for packages: gitlab-operator, flux, cert-manager-cmctl-fips, zarf, rancher-fleet-fips, kuma, cilium-cli, zarf-fips, flux-source-controller-fips, cert-manager-cmctl, flux-source-controller, rancher-fleet, flux-fips, helm-diff, kots, helm-diff-fips, helm-push, gitlab-operator-fips...
GHSA-VMX8-MQV2-9GMG vulnerabilities
Vulnerabilities for packages: gitlab-operator, flux, cert-manager-cmctl-fips, zarf, rancher-fleet-fips, kuma, cilium-cli, zarf-fips, flux-source-controller-fips, cert-manager-cmctl, flux-source-controller, rancher-fleet, flux-fips, helm-diff, kots, helm-diff-fips, helm-push, gitlab-operator-fips...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: gitlab-operator, flux, cert-manager-cmctl-fips, zarf, rancher-fleet-fips, kuma, cilium-cli, zarf-fips, flux-source-controller-fips, cert-manager-cmctl, flux-source-controller, rancher-fleet, flux-fips, helm-diff, kots, helm-diff-fips, helm-push, gitlab-operator-fips...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: gitlab-operator, flux, cert-manager-cmctl-fips, zarf, rancher-fleet-fips, kuma, cilium-cli, zarf-fips, flux-source-controller-fips, cert-manager-cmctl, flux-source-controller, rancher-fleet, flux-fips, helm-diff, kots, helm-diff-fips, helm-push, gitlab-operator-fips...