What is the CVSS score of CVE-2026-42283?

CVE-2026-42283 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of DevSpace are affected by CVE-2026-42283?

DevSpace UI Server (versions 6.3.20 and earlier) contains a Cross-Site WebSocket Hijacking vulnerability that allows remote attackers to execute arbitrary commands within Kubernetes pods by tricking…. A patch is available.

How to fix or mitigate CVE-2026-42283?

Within 24 hours: Identify all DevSpace installations running versions 6.3.20 or earlier using inventory/deployment management tools and document affected systems. Within 7 days: Upgrade all instances to DevSpace 6.3.21 or later. As interim mitigation, restrict network access to localhost:8090 to trusted networks only and disable the DevSpace UI server if not actively in use. Within 30 days: Audit WebSocket endpoint logs for suspicious cross-origin connection attempts and review pod access logs for unauthorized command execution during the vulnerable period.

DevSpace CVE-2026-42283

EUVD-2026-30319 HIGH

Information Exposure (CWE-200)

2026-05-06 https://github.com/devspace-sh/devspace

GHSA-hqwm-7x7x-8379

Information Disclosure Node.js

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 06, 2026 - 17:45 vuln.today

Analysis Generated

May 06, 2026 - 17:45 vuln.today

DescriptionNVD

Description

DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This allows an attacker to access:

/api/logs to stream real-time pod logs
/api/enter to open an interactive shell inside the running pod
/api/command to execute pre-defined pipeline commands

Patches

Versions 6.3.21 and above are patched.

Resources

gorilla/websocket CheckOrigin documentation

Installation Options

Devspace is no longer publishing to NPM or Yarn, please continue to use our other installation methods to get updates in the future, including this patch.

Credit

DevSpace thanks @b0b0haha for finding and reporting this vulnerability.

AnalysisAI

Cross-Site WebSocket Hijacking in DevSpace UI Server allows remote attackers to execute commands inside Kubernetes pods when developers visit malicious websites while DevSpace UI is running. The UI server's WebSocket endpoint at localhost:8090 accepts connections from any origin, enabling browser-based exploitation without authentication. …

RemediationAI

Within 24 hours: Identify all DevSpace installations running versions 6.3.20 or earlier using inventory/deployment management tools and document affected systems. Within 7 days: Upgrade all instances to DevSpace 6.3.21 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42283 vulnerability details – vuln.today

Back

DevSpace CVE-2026-42283

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Description

Patches

Resources

Installation Options

Credit

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code