Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. This is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability and affects both the desktop deployment (default http://localhost:7500) and cluster deployments (typically behind an Ingress with HTTP basic auth).
Impact
An attacker who can convince an authenticated Kubetail user to visit a page they control can:
- Establish a WebSocket connection to the victim's dashboard from the attacker's origin
- Stream container logs the victim has access to via the Kubernetes API
- Exfiltrate the contents to an attacker-controlled server
The attacker gains read-only access to logs - no write or destructive operations are exposed. However, container logs frequently contain credentials accidentally written by application code, bearer tokens, internal hostnames, customer PII, and other secrets, so the practical impact of read access can be significant.
The desktop deployment is particularly exposed because the dashboard is reachable at a predictable localhost URL, requires no network reachability from the attacker, and the browser will attach ambient credentials to the WebSocket handshake. For cluster deployments fronted by HTTP basic auth, the browser's automatic re-sending of basic-auth credentials on the WebSocket upgrade request enables the same attack against the configured dashboard origin.
Affected versions
| Component | Name | Affected | Patched |
|---|---|---|---|
| Kubetail Dashboard docker image | kubetail-dashboard | < 0.14.0 | >= 0.14.0 |
| Kubetail Helm Chart | kubetail/kubetail | < 0.23.0 | >= 0.23.0 |
| Kubetail CLI | kubetail | < 0.16.0 | >= 0.16.0 |
Confirmed in Google Chrome. Microsoft Edge is presumed affected as it shares Chromium's WebSocket implementation, but was not directly tested.
Preconditions for exploitation
- The victim has an active authenticated Kubetail session (desktop dashboard running, or browser holding valid credentials for a cluster deployment).
- The victim visits a web page controlled by the attacker in the same browser.
- The attacker knows or can guess the dashboard URL (trivial for desktop; cluster deployments require knowing the Ingress hostname).
Patches
Upgrade to:
- Kubetail Dashboard 0.14.0 or later
- Kubetail Helm Chart 0.23.0 or later
- Kubetail CLI 0.16.0 or later
Workarounds
If users cannot upgrade immediately:
- Desktop: Stop the dashboard (kubetail CLI process) when not actively in use. Avoid visiting untrusted sites in the same browser profile while the dashboard is running.
- Cluster: Restrict Ingress access to a VPN, bastion, or office network. Add a stronger outer authentication layer (e.g. OAuth proxy) in front of basic auth. Consider browser profile isolation for cluster admins.
AnalysisAI
Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.
Technical ContextAI
Kubetail Dashboard implements WebSocket endpoints for real-time Kubernetes log streaming (pkg:go/github.com_kubetail-org_kubetail_modules_dashboard). The vulnerability stems from inadequate Origin header validation during WebSocket upgrade handshakes, a critical defense mechanism against cross-origin attacks. Modern browsers enforce Same-Origin Policy (SOP) on HTTP requests but allow WebSocket upgrades from any origin if the server does not validate the Origin header. CWE-1385 (Improper Validation of Specified Quantity in Input) describes the root cause: the application fails to validate a required security-critical header. For desktop deployments, the WebSocket is reachable at a predictable localhost:7500 address with no network barrier. For cluster deployments, HTTP basic auth credentials are automatically re-sent by the browser during the WebSocket upgrade request, effectively authenticating the hijacked connection.
RemediationAI
Vendor-released patches are available: upgrade Kubetail Dashboard to 0.14.0 or later, Kubetail Helm Chart to 0.23.0 or later, and Kubetail CLI to 0.16.0 or later. See https://github.com/kubetail-org/kubetail/security/advisories/GHSA-v8j7-hp7c-738f for full advisory and upgrade guidance. Until patching is possible, implement the following workarounds with noted trade-offs: For desktop deployments, stop the Kubetail CLI process and dashboard when not actively in use (operational friction but eliminates attack surface); avoid visiting untrusted websites in the same browser profile while the dashboard is running (behavioral control, difficult to enforce at scale). For cluster deployments, restrict Ingress access to a VPN, bastion host, or office network (reduces attacker's ability to deliver the malicious page but assumes external attacker; insider threats remain unmitigated); deploy a stronger outer authentication layer such as an OAuth proxy in front of HTTP basic auth (adds defense in depth but increases operational complexity); isolate browser profiles for cluster administrators (limits blast radius but impractical for many environments). These workarounds do not eliminate the vulnerability-patching is the definitive remediation.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-1385 – Missing Origin Validation in WebSockets
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30331
GHSA-v8j7-hp7c-738f