Skip to main content

Kubetail Dashboard CVE-2026-44514

| EUVDEUVD-2026-30331 MEDIUM
Missing Origin Validation in WebSockets (CWE-1385)
2026-05-07 https://github.com/kubetail-org/kubetail GHSA-v8j7-hp7c-738f
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 03:00 vuln.today
Analysis Generated
May 07, 2026 - 03:00 vuln.today
CVE Published
May 07, 2026 - 02:34 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. This is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability and affects both the desktop deployment (default http://localhost:7500) and cluster deployments (typically behind an Ingress with HTTP basic auth).

Impact

An attacker who can convince an authenticated Kubetail user to visit a page they control can:

  • Establish a WebSocket connection to the victim's dashboard from the attacker's origin
  • Stream container logs the victim has access to via the Kubernetes API
  • Exfiltrate the contents to an attacker-controlled server

The attacker gains read-only access to logs - no write or destructive operations are exposed. However, container logs frequently contain credentials accidentally written by application code, bearer tokens, internal hostnames, customer PII, and other secrets, so the practical impact of read access can be significant.

The desktop deployment is particularly exposed because the dashboard is reachable at a predictable localhost URL, requires no network reachability from the attacker, and the browser will attach ambient credentials to the WebSocket handshake. For cluster deployments fronted by HTTP basic auth, the browser's automatic re-sending of basic-auth credentials on the WebSocket upgrade request enables the same attack against the configured dashboard origin.

Affected versions

ComponentNameAffectedPatched
Kubetail Dashboard docker imagekubetail-dashboard< 0.14.0>= 0.14.0
Kubetail Helm Chartkubetail/kubetail< 0.23.0>= 0.23.0
Kubetail CLIkubetail< 0.16.0>= 0.16.0

Confirmed in Google Chrome. Microsoft Edge is presumed affected as it shares Chromium's WebSocket implementation, but was not directly tested.

Preconditions for exploitation

  1. The victim has an active authenticated Kubetail session (desktop dashboard running, or browser holding valid credentials for a cluster deployment).
  2. The victim visits a web page controlled by the attacker in the same browser.
  3. The attacker knows or can guess the dashboard URL (trivial for desktop; cluster deployments require knowing the Ingress hostname).

Patches

Upgrade to:

  • Kubetail Dashboard 0.14.0 or later
  • Kubetail Helm Chart 0.23.0 or later
  • Kubetail CLI 0.16.0 or later

Workarounds

If users cannot upgrade immediately:

  • Desktop: Stop the dashboard (kubetail CLI process) when not actively in use. Avoid visiting untrusted sites in the same browser profile while the dashboard is running.
  • Cluster: Restrict Ingress access to a VPN, bastion, or office network. Add a stronger outer authentication layer (e.g. OAuth proxy) in front of basic auth. Consider browser profile isolation for cluster admins.

AnalysisAI

Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.

Technical ContextAI

Kubetail Dashboard implements WebSocket endpoints for real-time Kubernetes log streaming (pkg:go/github.com_kubetail-org_kubetail_modules_dashboard). The vulnerability stems from inadequate Origin header validation during WebSocket upgrade handshakes, a critical defense mechanism against cross-origin attacks. Modern browsers enforce Same-Origin Policy (SOP) on HTTP requests but allow WebSocket upgrades from any origin if the server does not validate the Origin header. CWE-1385 (Improper Validation of Specified Quantity in Input) describes the root cause: the application fails to validate a required security-critical header. For desktop deployments, the WebSocket is reachable at a predictable localhost:7500 address with no network barrier. For cluster deployments, HTTP basic auth credentials are automatically re-sent by the browser during the WebSocket upgrade request, effectively authenticating the hijacked connection.

RemediationAI

Vendor-released patches are available: upgrade Kubetail Dashboard to 0.14.0 or later, Kubetail Helm Chart to 0.23.0 or later, and Kubetail CLI to 0.16.0 or later. See https://github.com/kubetail-org/kubetail/security/advisories/GHSA-v8j7-hp7c-738f for full advisory and upgrade guidance. Until patching is possible, implement the following workarounds with noted trade-offs: For desktop deployments, stop the Kubetail CLI process and dashboard when not actively in use (operational friction but eliminates attack surface); avoid visiting untrusted websites in the same browser profile while the dashboard is running (behavioral control, difficult to enforce at scale). For cluster deployments, restrict Ingress access to a VPN, bastion host, or office network (reduces attacker's ability to deliver the malicious page but assumes external attacker; insider threats remain unmitigated); deploy a stronger outer authentication layer such as an OAuth proxy in front of HTTP basic auth (adds defense in depth but increases operational complexity); isolate browser profiles for cluster administrators (limits blast radius but impractical for many environments). These workarounds do not eliminate the vulnerability-patching is the definitive remediation.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-44514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy