Skip to main content

Kuma Control Plane CVE-2026-45021

| EUVD-2026-32966 MEDIUM
Origin Validation Error (CWE-346)
2026-05-14 https://github.com/kumahq/kuma GHSA-3vcp-chfh-f6r2
Information Disclosure Docker Kubernetes
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 18:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 21:19 vuln.today
Analysis Generated
May 14, 2026 - 21:19 vuln.today
CVE Published
May 14, 2026 - 20:15 nvd
MEDIUM

DescriptionNVD

Summary

Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material.

Am I affected?

You are affected if all of these hold:

  1. kuma-cp runs with default config (CorsAllowedDomains: [".*"] and LocalhostIsAdmin: true).
  2. The control plane is reachable from a browser on the same machine:
  • kuma-cp run on a developer laptop
  • Docker --network host or port-publish on a workstation
  • kubectl port-forward from a machine that also browses the web
  1. The operator visits a page running attacker JavaScript while the control plane is reachable.

You are not affected if:

  • The control plane runs on a Kubernetes cluster accessed via ClusterIP, NodePort, or LoadBalancer from a remote client.
  • The control plane runs on an SSH-administered VM with no browser on the host.
  • KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false is set (see https://kuma.io/docs/latest/production/secure-deployment/api-server-auth/).
  • KUMA_API_SERVER_CORS_ALLOWED_DOMAINS is set to an explicit allowlist that excludes attacker origins.

Mitigation

  1. Set KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false after retrieving the admin token.
  2. Set KUMA_API_SERVER_CORS_ALLOWED_DOMAINS to an explicit allowlist, for example http://localhost:5681,http://127.0.0.1:5681.
  3. Do not run kuma-cp on a machine where you browse untrusted sites.

Fix

Fixed in #16416, backported to all supported release branches (#16423, #16424, #16425, #16426, #16427).

Changes in patched versions:

  • CorsAllowedDomains default changed from [".*"] to [] - CORS is now opt-in; set the env var explicitly if you need GUI access.
  • LocalhostIsAdmin hardened: now requires direct loopback RemoteAddr and Host, and rejects requests carrying proxy-hop headers (X-Forwarded-For), cross-site fetch metadata (Sec-Fetch-Site), or a non-localhost Origin.

Upgrade to a patched version:

  • 2.7.25
  • 2.9.15
  • 2.11.13
  • 2.12.10
  • 2.13.5

Credits

Reported by eldudareeno.

CVSS

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N = 5.1 Medium.

AnalysisAI

Kuma Control Plane with default configuration leaks admin bootstrap tokens and signing keys to any website an operator visits if the control plane is reachable from their browser. The vulnerability combines default CORS settings allowing all origins (CorsAllowedDomains: [".*"]) with LocalhostIsAdmin: true, which grants admin privileges to any request from 127.0.0.1 without validating whether it originates from a trusted same-origin context. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-45021 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy