Skip to main content

Calico CNI CVE-2026-41185

| EUVDEUVD-2026-32933 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-28 Tigera GHSA-m67g-87rx-v42c
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 28, 2026 - 17:26 vuln.today
Analysis Generated
May 28, 2026 - 17:26 vuln.today
CVSS changed
May 28, 2026 - 17:22 NVD
6.0 (MEDIUM)
CVE Published
May 28, 2026 - 15:47 nvd
MEDIUM 6.0

DescriptionCVE.org

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation - once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node  can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.

AnalysisAI

Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.

Technical ContextAI

The vulnerability is rooted in CWE-532 (Insertion of Sensitive Information into Log File). Calico's CNI binary, when configured with the Azure IPAM plugin (cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*), mutates the incoming CNI configuration struct (stdinData) to prepend Azure subnet information before delegating to the downstream IPAM plugin. A logrus INFO-level call then serializes the entire unmarshaled configuration map verbatim to /var/log/calico/cni/cni.log. Because Kubernetes token-based authentication embeds the ServiceAccount bearer token, client TLS key, and cluster CA directly in the CNI configuration, these secrets appear in every log line generated by a CNI ADD or DEL operation - one per pod lifecycle event. The fix, confirmed by PR diffs in projectcalico/calico (PRs #12502, #12527, #12526), replaces the full stdinData log call with targeted field logging of only non-sensitive values such as subnet and IP address, and removes a separate code path in install.go that printed the full CNI config file contents to stdout.

RemediationAI

Apply the upstream fixes from Tigera: patches are available via GitHub PRs #12502 (https://github.com/projectcalico/calico/pull/12502), #12527 (https://github.com/projectcalico/calico/pull/12527), and #12526 (https://github.com/projectcalico/calico/pull/12526). An exact released patched version number is not independently confirmed from the available data - consult the Tigera security bulletin at https://www.tigera.io/security-bulletins/tta-2026-002/ for the specific patched release version before upgrading. As an immediate compensating control, restrict read permissions on /var/log/calico/cni/cni.log to root only (chmod 600 and chown root:root), which limits exposure to processes already running as root - note this does not eliminate credential logging, only reduces who can read it. A second interim measure is to rotate any ServiceAccount tokens and TLS credentials that may have been exposed in existing log files, then purge or securely archive historical cni.log content on all Azure IPAM-configured nodes. Disabling Azure IPAM (switching to a non-Azure IPAM plugin) would eliminate the vulnerable code path but is a significant architectural change with networking impact that should only be considered if patching is delayed.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-41185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy