190 matches found
Uptime-Kuma < v1.23.0 - Improper Access Control
Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: external-dns, osv-scanner, cilium, prometheus-fips, kubescape, frankenphp-8.5, kine, kube-arangodb-fips, zitadel, kuma, traefik-fips, frankenphp-8.4, tigera-operator, gitlab-kas, mattermost-fips, frankenphp-8.2, terraform, trivy-operator-fips, chisel-fips, k3s, loki,...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
EUVD-2026-32966
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma CVE-2026-45021 describes a cross-origin exposure in the default kuma-cp config where CorsAllowedDomains: "." and LocalhostIsAdmin: true enable a browser-based attacker to fetch admin credentials from the control plane. Before versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, a malicious...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
Kuma 安全漏洞
Kuma is a modern service mesh developed by Kuma OpenSource, based on Envoy. It can be run on Kubernetes and VMs, with single- or multi-zone capabilities, across various clouds. There were security vulnerabilities in versions of Kuma before 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. These...
GHSA-3VCP-CHFH-F6R2 Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
CVE-2026-35204 vulnerabilities
Vulnerabilities for packages: flux, flux-source-controller, kuma, kots, zarf, cilium-cli, helm-push, rancher-fleet, cert-manager-cmctl...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: flux, flux-source-controller, kuma, kots, zarf, cilium-cli, helm-push, rancher-fleet, cert-manager-cmctl...
GHSA-VMX8-MQV2-9GMG vulnerabilities
Vulnerabilities for packages: flux, flux-source-controller, kuma, kots, zarf, cilium-cli, helm-push, rancher-fleet, cert-manager-cmctl...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: flux, flux-source-controller, kuma, kots, zarf, cilium-cli, helm-push, rancher-fleet, cert-manager-cmctl...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: istio, chart-testing, flux-source-controller, kuma, helm-operator, tw, k8ssandra-client, kubescape, helm-docs, k9s, cert-manager-cmctl, harbor, trivy-operator, envoy-gateway, pluto, kube-arangodb, kots, cilium-cli, consul-k8s, linkerd2, flux, teleport, headlamp,...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: istio, chart-testing, flux-source-controller, kuma, helm-operator, tw, k8ssandra-client, kubescape, helm-docs, k9s, cert-manager-cmctl, harbor, trivy-operator, envoy-gateway, pluto, kube-arangodb, kots, cilium-cli, consul-k8s, linkerd2, flux, teleport, headlamp,...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: kuma, zarf-fips, kots, flux-source-controller-fips, helm-diff-fips, flux, cilium-cli, gitlab-operator, gitlab-operator-fips, cert-manager-cmctl-fips, helm-diff, helm-push, rancher-fleet, rancher-fleet-fips, zarf, cert-manager-cmctl, flux-source-controller, flux-fips...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: kuma, zarf-fips, kots, flux-source-controller-fips, helm-diff-fips, flux, cilium-cli, gitlab-operator, gitlab-operator-fips, cert-manager-cmctl-fips, helm-diff, helm-push, rancher-fleet, rancher-fleet-fips, zarf, cert-manager-cmctl, flux-source-controller, flux-fips...