188 matches found
Uptime-Kuma < v1.23.0 - Improper Access Control
Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
EUVD-2026-32966
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
CVE-2026-45021
Kuma CVE-2026-45021 describes a cross-origin exposure in the default kuma-cp config where CorsAllowedDomains: "." and LocalhostIsAdmin: true enable a browser-based attacker to fetch admin credentials from the control plane. Before versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, a malicious...
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
Kuma 安全漏洞
Kuma is a modern service mesh developed by Kuma OpenSource, based on Envoy. It can be run on Kubernetes and VMs, with single- or multi-zone capabilities, across various clouds. There were security vulnerabilities in versions of Kuma before 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. These...
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
GHSA-3VCP-CHFH-F6R2 Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: flux-source-controller, cert-manager-cmctl, rancher-fleet, zarf, kots, cilium-cli, helm-push, flux, kuma...
CVE-2026-35204 vulnerabilities
Vulnerabilities for packages: flux-source-controller, cert-manager-cmctl, rancher-fleet, zarf, kots, cilium-cli, helm-push, flux, kuma...
GHSA-VMX8-MQV2-9GMG vulnerabilities
Vulnerabilities for packages: flux-source-controller, cert-manager-cmctl, rancher-fleet, zarf, kots, cilium-cli, helm-push, flux, kuma...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: flux-source-controller, cert-manager-cmctl, rancher-fleet, zarf, kots, cilium-cli, helm-push, flux, kuma...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: nova, harbor, trivy-operator, zot, trivy, kuma, zarf, cerbos, consul-k8s, teleport, flux-source-controller, helm-docs, istio, helm-operator, cert-manager-cmctl, k8ssandra-client, linkerd2, rancher-fleet, chart-testing, helm-push, pluto, kube-arangodb, envoy-gateway,...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: nova, harbor, trivy-operator, zot, trivy, kuma, zarf, cerbos, consul-k8s, teleport, flux-source-controller, helm-docs, istio, helm-operator, cert-manager-cmctl, k8ssandra-client, linkerd2, rancher-fleet, chart-testing, helm-push, pluto, kube-arangodb, envoy-gateway,...
GHSA-VMX8-MQV2-9GMG vulnerabilities
Vulnerabilities for packages: helm-diff-fips, kots, flux-fips, flux-source-controller, cert-manager-cmctl-fips, kuma, rancher-fleet, cert-manager-cmctl, zarf-fips, gitlab-operator-fips, flux, cilium-cli, helm-push, rancher-fleet-fips, flux-source-controller-fips, helm-diff, gitlab-operator, zarf...
CVE-2026-35204 vulnerabilities
Vulnerabilities for packages: helm-diff-fips, kots, flux-fips, flux-source-controller, cert-manager-cmctl-fips, kuma, rancher-fleet, cert-manager-cmctl, zarf-fips, gitlab-operator-fips, flux, cilium-cli, helm-push, rancher-fleet-fips, flux-source-controller-fips, helm-diff, gitlab-operator, zarf...
GHSA-Q5JF-9VFQ-H4H7 vulnerabilities
Vulnerabilities for packages: helm-diff-fips, kots, flux-fips, flux-source-controller, cert-manager-cmctl-fips, kuma, rancher-fleet, cert-manager-cmctl, zarf-fips, gitlab-operator-fips, flux, cilium-cli, helm-push, rancher-fleet-fips, flux-source-controller-fips, helm-diff, gitlab-operator, zarf...
CVE-2026-35205 vulnerabilities
Vulnerabilities for packages: helm-diff-fips, kots, flux-fips, flux-source-controller, cert-manager-cmctl-fips, kuma, rancher-fleet, cert-manager-cmctl, zarf-fips, gitlab-operator-fips, flux, cilium-cli, helm-push, rancher-fleet-fips, flux-source-controller-fips, helm-diff, gitlab-operator, zarf...