Skip to main content
2026-07-15

2026-07-16

CVE-2026-56453 MEDIUM This Month

Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to intercept and alter server responses before they reach the client, subverting authentication and authorization decisions enforced client-side. The product, identified via CPE cpe:2.3:a:hcl_software:dfxanalytics:*:*:*:*:*:*:*:*, appears to trust server-provided authentication outcomes without cryptographic integrity protection, allowing a low-privileged adversary-in-the-middle to gain unauthorized access to arbitrary user accounts. No public exploit has been identified and no CISA KEV listing is present, but the CVSS scope change (S:C) signals that successful exploitation reaches beyond the attacker's own session to compromise targeted accounts.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
5.5
CVE-2026-9494 MEDIUM PATCH This Month

ubuntu-pro-client (formerly ubuntu-advantage-tools) leaks Ubuntu Pro bearer tokens to unprivileged local users via the Linux /proc filesystem on all supported Ubuntu LTS releases from 14.04 through 26.04. When the client validates APT credentials, it spawns /usr/lib/apt/apt-helper with the secret token embedded in a cleartext URL argument (https://bearer:<token>@esm.ubuntu.com/), which any local low-privileged user can read from /proc/<pid>/cmdline on default-configured systems. The stolen token enables unauthorized access to the victim's Ubuntu Pro ESM repositories. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Ubuntu Canonical Authentication Bypass Information Disclosure Ubuntu Pro Client Ubuntu Advantage Tools +7
NVD
CVSS 3.1
5.5
CVE-2026-61718 MEDIUM This Month

Improper authorization in BunkerWeb's web UI middleware allows authenticated reader-role accounts to permanently delete WAF job cache files in versions 1.6.2 through 1.6.11. The BiscuitMiddleware bypass list incorrectly included the `/cache/` URL prefix, causing the `POST /cache/delete` route to skip Biscuit role-based access control and enforce only Flask's `@login_required` decorator, making write-privileged cache operations accessible to any authenticated user. Deleted cache can include blacklists, GeoIP data, ModSecurity CRS rules, CrowdSec data, and ACME/Let's Encrypt certificate material, degrading WAF protective capability. No public exploit is identified at time of analysis; vendor-released patch is available in version 1.6.12.

Authentication Bypass Bunkerweb
NVD GitHub
CVSS 3.1
5.4
CVE-2026-47082 MEDIUM PATCH This Month

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via the vacation Sieve script `:fcc` (file carbon copy) feature, enabling unauthorized message injection into any mailbox nameable by the script regardless of insert permissions. The CVSS vector (PR:L, AV:N) confirms network-triggerable exploitation requiring only a valid authenticated account, with low integrity and availability impact (C:N/I:L/A:L). No public exploit code and no CISA KEV listing exist at time of analysis; vendor-released patch version 3.12.3 addresses the flaw.

Authentication Bypass Cyrus Imap
NVD
CVSS 3.1
5.4
CVE-2026-15909 MEDIUM This Month

Authorization bypass in RafyMrX TOKO-ONLINE-ROTI allows a low-privileged remote attacker to manipulate the `kd_cs` parameter in `proses/add.php` to access or modify data belonging to other customers, a classic CWE-639 Insecure Direct Object Reference pattern. The application up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is confirmed affected, with no vendor patch available after the vendor failed to respond to responsible disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity of parameter manipulation makes this trivially reproducible with standard HTTP tooling.

Authentication Bypass PHP Toko Online Roti
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-62299 MEDIUM This Month

Nil pointer dereference in CoreDNS prior to 1.14.5 allows remote unauthenticated attackers to crash or degrade the DNS server by sending a single ordinary DNS query. The rewrite plugin's edns0 response rules dereference the result of IsEdns0() without a nil check; when a downstream plugin returns a response lacking an OPT record, the ResponseReverter panics, returning SERVFAIL in default deployments or terminating the CoreDNS process entirely when the debug directive is active. No public exploit code has been identified and the issue is fixed in v1.14.5.

Denial Of Service Null Pointer Dereference Coredns
NVD GitHub
CVSS 3.1
5.3
CVE-2026-53715 MEDIUM This Month

Envoy Gateway's Wasm extension cache HTTP server (port 18002) can be crashed by a tenant-level attacker, causing a cross-tenant control-plane denial of service. The race condition in httpserver.go causes Go's runtime to call runtime.throw upon detecting an unsynchronized concurrent map access - a fatal signal that net/http's per-connection recover cannot intercept - terminating the entire controller process. While Kubernetes restarts the pod, all tenants sharing the controller lose control-plane availability during the restart window. No public exploit has been identified at time of analysis, but the four-condition precondition set is largely within baseline tenant capabilities.

Information Disclosure Race Condition Kubernetes
NVD GitHub
CVSS 3.1
5.3
CVE-2026-53536 MEDIUM This Month

Cross-tenant step-file disclosure in Activepieces before 0.83.0 allows any authenticated user on a shared instance to retrieve a workflow step-file attachment belonging to a different tenant by exploiting two compounding defects in the `/v1/step-files/signed` download endpoint: a missing JWT audience check and an unguarded null fileId that causes PostgreSQL to return an arbitrary FLOW_STEP_FILE record. Access is strictly read-only and non-targeted - the attacker cannot choose which tenant's file is returned, as the result depends on PostgreSQL's internal scan order at query time. No public exploit has been identified and no active exploitation is listed in CISA KEV; the vulnerability is patched in version 0.83.0.

Information Disclosure PostgreSQL
NVD GitHub
CVSS 4.0
5.3
CVE-2026-45795 MEDIUM PATCH This Month

Signature bypass in Janssen jans-auth-server's OIDC authorization request object processing allows unauthenticated remote attackers to submit JWE-wrapped authorization requests containing unsigned plain JSON payloads, circumventing the integrity guarantee that JAR (RFC 9101) is designed to enforce. Two distinct code defects enable the bypass: the server silently skips nested JWS validation when getSignedJWTPayload() returns null, and the forceSignedRequestObject enforcement fails to reject null-mapped algorithm identifiers such as RSA-OAEP (an encryption algorithm, not a signature algorithm). No public exploit code has been identified and the vulnerability is not listed in CISA KEV; it is fixed in version 2.0.0.

Jwt Attack Information Disclosure Jans
NVD GitHub
CVSS 3.1
5.3
CVE-2026-56456 MEDIUM This Month

HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system logs, or debugging output rendered by the application dashboard. All versions are affected per the wildcard CPE, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote attackers can trivially trigger and read this disclosure with no special configuration. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the leaked path information materially aids reconnaissance for chained attacks against the underlying server environment.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
5.3
CVE-2026-56455 MEDIUM This Month

Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the application unresponsive by submitting excessively large input values that bypass missing server-side length validation. The vulnerability carries a CVSS 3.1 score of 5.3 (Medium) with availability as the sole impact dimension - no confidentiality or integrity exposure is present, and remote code execution has not been indicated. No public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Stack Overflow Denial Of Service Dfxanalytics
NVD VulDB
CVSS 3.1
5.3
CVE-2026-15106 MEDIUM This Month

Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS-assigned score of 5.3 Medium reflects the limited scope: data deletion with no confidentiality or availability impact on the service itself.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-60073 MEDIUM This Month

Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and system stability to a physically-present, low-privileged attacker via manipulated USB data length values. Exploitation can result in disclosure of sensitive kernel memory contents or a full system crash - both significant outcomes in an OT/ICS environment where availability and data integrity are critical. Reported by ICS-CERT under advisory ICSA-26-197-04, with no public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Buffer Overflow Productivity Suite
NVD GitHub
CVSS 4.0
5.2
CVE-2026-12391 MEDIUM PATCH This Month

Insecure symlink following in Canonical's ubuntu-pro-client `pro collect-logs` command allows a low-privileged local attacker to cause a root-executing diagnostic tool to read arbitrary root-owned files - including `/etc/shadow` - and bundle their contents into a support archive accessible to the attacker. All supported Ubuntu LTS releases from 16.04 through 26.04 are affected, as confirmed by Canonical's own advisory and CPE data spanning the full product history. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack primitive is trivially simple - standard Unix symlink creation - making exploitation straightforward once local access is obtained.

Ubuntu Canonical Information Disclosure Ubuntu Pro Client Ubuntu Advantage Tools Ubuntu 26 04 Lts +5
NVD VulDB
CVSS 3.1
5.0
CVE-2026-15651 MEDIUM This Month

SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.

SQLi WordPress Wp Tripadvisor Review Slider
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-52832 MEDIUM POC PATCH This Month

Unauthenticated path traversal in Nuclio Dashboard's function build API allows arbitrary file write as root inside the Dashboard container. The `spec.handler` field accepts unsanitized module names containing `../` sequences, which Go's `path.Join`/`path.Clean` resolves to escape the build temp directory; the resulting path is passed to `os.WriteFile` running as `uid=0`. Versions up to and including 1.15.27 are affected; a full working proof-of-concept has been publicly disclosed, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Privilege Escalation Ubuntu Kubernetes Docker Path Traversal +1
NVD GitHub
CVSS 3.1
4.9
CVE-2026-15727 MEDIUM This Month

SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; real-world risk is bounded by the administrator authentication requirement.

SQLi WordPress Wp Bulk Delete
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-15458 MEDIUM This Month

SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.

SQLi WordPress Seo Booster
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-15445 MEDIUM This Month

Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.

SQLi WordPress Seo Booster
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-13005 MEDIUM This Month

Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.

WordPress XSS Mxchat Ai Chatbot Content Generation For Wordpress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15324 MEDIUM This Month

Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.

WordPress XSS Sysbasics Customize My Account For Woocommerce Live My Account Customizer
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-12434 MEDIUM This Month

Sensitive information exposure in the List Category Posts WordPress plugin (all versions through 0.95.0) allows authenticated contributors to read non-public posts belonging to other users - including pending-review, scheduled, and trashed content with full body text, excerpts, authors, and custom-field metadata. Exploitation requires only a contributor-level account and the ability to embed the native [catlist] shortcode in a draft post, then preview it, triggering the flawed sanitize_status logic. This is a confirmed bypass of the incomplete authorization fix shipped in version 0.93.0 for CVE-2025-11377, indicating the root authorization flaw was never fully remediated. No public exploit code or CISA KEV listing is identified at time of analysis.

Authentication Bypass WordPress Information Disclosure List Category Posts
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15610 MEDIUM This Month

Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level authenticated user to invoke the plugin's RAG document re-embedding functionality without authorization, directly modifying the rag_documents database table and triggering calls to the site owner's paid AI APIs (OpenAI, Gemini, OpenRouter, or xAI). The root cause is a missing capability check in class-qcld-bot-rag.php, confirmed by Wordfence and traceable to specific code paths in qcld-wpwbot.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.3 Medium score reflects constrained direct security impact - though financial harm from API credit exhaustion represents the primary real-world risk.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15350 MEDIUM This Month

Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress The Cache Purger
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15945 MEDIUM This Month

Group search in Keycloak's administrative API leaks unauthorized parent group details to delegated administrators when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled. A delegated admin with read access to a child group can trigger the flaw simply by searching for that child group, causing the API response to incorrectly return full attribute and configuration data for parent groups they have no authorization to view. CVSS 4.3 Medium (PR:L, C:L) reflects its limited confidentiality impact and authenticated-only exploitability; no active exploitation or public proof-of-concept has been identified at time of analysis.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
NVD VulDB
CVSS 3.1
4.3
CVE-2026-55548 MEDIUM PATCH This Month

Telemetry archive exposure in Yamcs mission control framework allows any authenticated user to dump the entire raw packet archive by exploiting a broken object-level authorization check in the exportPackets API. Versions prior to 5.12.8 (stable) and 5.13.2 (development) are affected. No public exploit or CISA KEV listing exists, but the attack requires only a valid session and a trivially crafted HTTP request, making it immediately actionable for any insider or compromised account.

Authentication Bypass Java Yamcs
NVD GitHub
CVSS 3.1
4.3
CVE-2026-54568 MEDIUM PATCH This Month

Cross-device system_info disclosure in Microsoft UFO's WebSocket server allows any authenticated DEVICE-role client to retrieve another enrolled device's server-side system_info - including hostname, IP address, and metadata tags - by supplying an arbitrary target_id in a DEVICE_INFO_REQUEST message. Affected versions 3.0.0 through 3.0.5 authenticate the caller's role but omit object-level authorization in handle_device_info_request and get_device_info (ufo/server/ws/handler.py), meaning DEVICE clients can enumerate peers that only CONSTELLATION controllers should be able to query. No public exploit identified at time of analysis; vendor-released patch is version 3.0.6.

Authentication Bypass Microsoft Ufo
NVD GitHub
CVSS 3.1
4.3
CVE-2026-57205 MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Microsoft SimpleChat exposes any authenticated user's profile data to other authenticated users without authorization checks. The GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in route_backend_users.py accept a caller-supplied user_id and query the Cosmos DB user-settings document directly, bypassing object-level authorization - enabling enumeration of email addresses, display names, and profile images across the entire user base. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; the vendor-released fix is version 0.241.203.

Information Disclosure Simplechat
NVD GitHub
CVSS 3.1
4.3
CVE-2026-15407 MEDIUM This Month

Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subscriber-level user to overwrite or delete CSS stylesheet files for arbitrary posts - including private and draft posts owned by other users - and modify plugin-scoped font options site-wide. The CSRF nonce (tf_nonce) nominally required to gate these actions is broadcast to every authenticated user visiting any public front-end builder page via wp_localize_script, making it trivially collectible and rendering it ineffective as a security control. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified at time of analysis.

Authentication Bypass CSRF WordPress Themify Builder
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12409 MEDIUM This Month

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.

CSRF WordPress Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-15336 MEDIUM This Month

Missing authorization in the Catch Themes Demo Import WordPress plugin (versions up to and including 3.3) allows any subscriber-level authenticated user to force-install a hardcoded third-party plugin onto the target WordPress site. The vulnerability exists because catch_themes_demo_import_activate_plugin(), hooked on admin_init, invokes Plugin_Upgrader::install() to fetch and install 'essential-content-types' from WordPress.org before performing the current_user_can('activate_plugins') capability check - a classic authorization-check inversion. No public exploit code has been identified at time of analysis, and the constrained impact (only one hardcoded plugin can be installed, not arbitrary ones) meaningfully limits real-world severity despite the low authentication requirement.

Authentication Bypass WordPress Catch Themes Demo Import
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-47083 MEDIUM PATCH This Month

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder names and retrieve message UIDs belonging to arbitrary other accounts via the ESEARCH command, creating a content oracle. The flaw (CWE-204, Observable Response Discrepancy) leaks mailbox structure - including folder names that may reveal sensitive organizational or personal context - without permitting reads of actual message content. No public exploit code has been identified at time of analysis, no CISA KEV listing exists, and the CVSS score of 4.3 reflects the authentication prerequisite and limited confidentiality impact, though risk is elevated in shared multi-tenant deployments such as ISPs and universities.

Oracle Information Disclosure Cyrus Imap
NVD
CVSS 3.1
4.3
CVE-2026-47089 MEDIUM PATCH This Month

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lacks the required admin-access authorization check. Any valid IMAP account holder can call LISTRIGHTS against arbitrary mailboxes they can name, learning which principals hold which access rights - data that should be restricted to mailbox administrators. No public exploit or active exploitation has been identified; vendor release notes reference 3.12.3 as the corrective release.

Authentication Bypass Cyrus Imap
NVD
CVSS 3.1
4.3
CVE-2026-47085 MEDIUM PATCH This Month

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents of a victim's mailbox folder by computing a forged authentication token using a predictable HMAC-SHA1 key. The predictability arises specifically when a victim has never issued a URLAUTH-authenticated URL for a given folder, leaving the per-folder mboxkey absent and thus falling back to a computable value. No public exploit code has been identified and no active exploitation has been confirmed; real-world impact is further constrained by URLAUTH being an obscure IMAP extension with negligible public client adoption.

Information Disclosure Cyrus Imap
NVD
CVSS 3.1
4.0
CVE-2026-52724 MEDIUM PATCH This Month

TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. Standard Kubernetes installations using kumactl or the official Helm chart are not affected because the mutating admission webhook automatically injects the CA certificate. No public exploit or CISA KEV listing is present at time of analysis; patch releases are available across all supported branches.

Code Injection Kubernetes
NVD GitHub
CVE-2026-50166 MEDIUM PATCH This Month

TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. A successful intercept grants the attacker the ability to impersonate the operator and issue privileged commands to the control plane. No public exploit identified at time of analysis; vendor-released patches are available.

Information Disclosure
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy