Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material.
Am I affected?
You are affected if all of these hold:
kuma-cpruns with default config (CorsAllowedDomains: [".*"]andLocalhostIsAdmin: true).- The control plane is reachable from a browser on the same machine:
kuma-cp runon a developer laptop- Docker
--network hostor port-publish on a workstation kubectl port-forwardfrom a machine that also browses the web
- The operator visits a page running attacker JavaScript while the control plane is reachable.
You are not affected if:
- The control plane runs on a Kubernetes cluster accessed via ClusterIP, NodePort, or LoadBalancer from a remote client.
- The control plane runs on an SSH-administered VM with no browser on the host.
KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=falseis set (see https://kuma.io/docs/latest/production/secure-deployment/api-server-auth/).KUMA_API_SERVER_CORS_ALLOWED_DOMAINSis set to an explicit allowlist that excludes attacker origins.
Mitigation
- Set
KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=falseafter retrieving the admin token. - Set
KUMA_API_SERVER_CORS_ALLOWED_DOMAINSto an explicit allowlist, for examplehttp://localhost:5681,http://127.0.0.1:5681. - Do not run
kuma-cpon a machine where you browse untrusted sites.
Fix
Fixed in #16416, backported to all supported release branches (#16423, #16424, #16425, #16426, #16427).
Changes in patched versions:
CorsAllowedDomainsdefault changed from[".*"]to[]- CORS is now opt-in; set the env var explicitly if you need GUI access.LocalhostIsAdminhardened: now requires direct loopbackRemoteAddrandHost, and rejects requests carrying proxy-hop headers (X-Forwarded-For), cross-site fetch metadata (Sec-Fetch-Site), or a non-localhostOrigin.
Upgrade to a patched version:
- 2.7.25
- 2.9.15
- 2.11.13
- 2.12.10
- 2.13.5
Credits
Reported by eldudareeno.
CVSS
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N = 5.1 Medium.
AnalysisAI
Kuma Control Plane with default configuration leaks admin bootstrap tokens and signing keys to any website an operator visits if the control plane is reachable from their browser. The vulnerability combines default CORS settings allowing all origins (CorsAllowedDomains: [".*"]) with LocalhostIsAdmin: true, which grants admin privileges to any request from 127.0.0.1 without validating whether it originates from a trusted same-origin context. An attacker's JavaScript on a visited webpage can cross-origin fetch the admin token and cryptographic material via browser requests to localhost:5681. This is not actively exploited in the wild but represents a realistic threat in developer and testing environments where control planes run on workstations with web browsers.
Technical ContextAI
Kuma is a Kubernetes-native service mesh control plane written in Go. The vulnerability stems from overly permissive defaults in the API server's CORS (Cross-Origin Resource Sharing) and authentication layers. The CORS configuration CorsAllowedDomains: [".*"] matches any Origin header via regex, causing the API server to reflect wildcard CORS headers in responses, bypassing browser Same-Origin Policy protections. Simultaneously, the LocalhostIsAdmin authenticator in pkg/api-server/authn/localhost.go originally granted admin privileges to any HTTP request with RemoteAddr of 127.0.0.1 or ::1, without validating whether the request originated from a trusted localhost webpage or was injected by cross-origin JavaScript. When a browser on the same machine (e.g., developer laptop, Docker host with --network host, or kubectl port-forward session) visits an attacker-controlled page, that page's JavaScript can use fetch() to reach the locally-exposed API server. The combination of CORS bypass and localhost-source-based privilege escalation allows credential theft without any user action beyond visiting a malicious site. The root cause is CWE-346 (Origin Validation Error) - the application fails to validate request origins before granting admin access.
RemediationAI
Immediately upgrade Kuma Control Plane to a patched version: 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5+. Consult GitHub advisory https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2 for release notes. If upgrade is not immediately possible, apply compensating controls: Set environment variable KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false after retrieving the initial admin bootstrap token via direct loopback or out-of-band mechanism; this removes the automatic localhost privilege escalation. Additionally, set KUMA_API_SERVER_CORS_ALLOWED_DOMAINS to an explicit allowlist (e.g., http://localhost:5681,http://127.0.0.1:5681 for local GUI access) or empty list if CORS is not needed; do not rely on regex patterns. As a third control, administratively restrict control-plane network access to exclude web-browsing hosts - run kuma-cp on dedicated management VMs or SSH-administered systems where no web browser is installed, rather than on developer workstations. These mitigations carry trade-offs: disabling LocalhostIsAdmin requires token-based authentication via kumactl for initial setup; explicit CORS allowlisting requires knowledge of all GUI origins and breaks dynamic reverse-proxy deployments; and host isolation reduces operational convenience for local testing.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32966
GHSA-3vcp-chfh-f6r2