CVE-2026-6720

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-6720

Calico component calicoctl is affected. When run with --log-level=info or --log-level=debug, it prints the full contents of its loaded connection-configuration struct to stderr in a single log line, exposing credentials (inline kubeconfig with bearer token, Kubernetes API bearer token, etcd passw...

EUVD-2026-32932

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-6720 Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-6720

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-7163

A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...

CVE-2026-7163

A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...

EUVD-2026-26374

A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...

CVE-2026-7163

CVE-2026-7163 affects the Assisted-service REST API in the Multicluster Engine (MCE) used with Red Hat ACM/MCE on-prem deployments. An authenticated user with minimal namespace privileges can obtain administrative credentials (the kubeadmin password) and kubeconfig for any cluster provisioned thr...

CVE-2026-7163

A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...

CVE-2026-7163 Assisted-service: assisted-service: authenticated users can gain administrative access to openshift clusters via credential disclosure

A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...

PT-2026-36097

Name of the Vulnerable Software and Affected Versions Multicluster Engine affected versions not specified Red Hat Advanced Cluster Management affected versions not specified Description A flaw in the assisted-service REST API, an optional Assisted Installer component in the Multicluster Engine,...

BIT-FLUX-2022-24817 Improper kubeconfig validation allows arbitrary code execution

Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...

EUVD-2021-1164

Malware in sbrugna...

EUVD-2020-23181

Malware in sbrugna...

EUVD-2022-1339

Malicious code in bioql PyPI...

EUVD-2022-5436

Malicious code in bioql PyPI...

CVE-2025-27095 JumpServer has a Kubernetes Token Leak Vulnerability

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server...

PT-2025-13783

Name of the Vulnerable Software and Affected Versions JumpServer versions prior to 4.8.0 JumpServer versions prior to 3.10.18 Description The issue allows an attacker with a low-privileged account to access the Kubernetes session feature and manipulate the kubeconfig file. This manipulation enabl...

JumpServer 安全漏洞

JumpServer is an open source bastion machine from Hangzhou, China-based Feizhiyun Information Technology JumpServer. A security vulnerability exists in JumpServer versions prior to 4.8.0 and 3.10.18, which stems from a low-privileged account that can access the Kubernetes session function and...