188 matches found
Uptime-Kuma < v1.23.0 - Improper Access Control
Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
EUVD-2026-32966
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma CVE-2026-45021 describes a cross-origin exposure in the default kuma-cp config where CorsAllowedDomains: "." and LocalhostIsAdmin: true enable a browser-based attacker to fetch admin credentials from the control plane. Before versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, a malicious...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
Kuma 安全漏洞
Kuma is a modern service mesh developed by Kuma OpenSource, based on Envoy. It can be run on Kubernetes and VMs, with single- or multi-zone capabilities, across various clouds. There were security vulnerabilities in versions of Kuma before 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. These...
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
GHSA-3VCP-CHFH-F6R2 Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...
GHSA-VMX8-MQV2-9GMG vulnerabilities
Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...
CVE-2026-35204 vulnerabilities
Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: kuma, helm-mapkubeapis, chartmuseum, kubescape, kube-arangodb, flux-source-controller, eksctl, k8ssandra-client, zot, nova, k9s, helm-set-status, cert-manager-cmctl, rancher-fleet, tigera-operator, trivy, envoy-gateway, tw, chart-testing, pluto, cerbos, headlamp,...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: kuma, helm-mapkubeapis, chartmuseum, kubescape, kube-arangodb, flux-source-controller, eksctl, k8ssandra-client, zot, nova, k9s, helm-set-status, cert-manager-cmctl, rancher-fleet, tigera-operator, trivy, envoy-gateway, tw, chart-testing, pluto, cerbos, headlamp,...
CVE-2026-35204 vulnerabilities
Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...
GHSA-VMX8-MQV2-9GMG vulnerabilities
Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...