Skip to main content

Kuma Control Plane CVE-2026-45021

| EUVDEUVD-2026-32966 MEDIUM
Origin Validation Error (CWE-346)
2026-05-14 https://github.com/kumahq/kuma GHSA-3vcp-chfh-f6r2
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 18:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 21:19 vuln.today
Analysis Generated
May 14, 2026 - 21:19 vuln.today
CVE Published
May 14, 2026 - 20:15 nvd
MEDIUM

DescriptionGitHub Advisory

Summary

Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material.

Am I affected?

You are affected if all of these hold:

  1. kuma-cp runs with default config (CorsAllowedDomains: [".*"] and LocalhostIsAdmin: true).
  2. The control plane is reachable from a browser on the same machine:
  • kuma-cp run on a developer laptop
  • Docker --network host or port-publish on a workstation
  • kubectl port-forward from a machine that also browses the web
  1. The operator visits a page running attacker JavaScript while the control plane is reachable.

You are not affected if:

  • The control plane runs on a Kubernetes cluster accessed via ClusterIP, NodePort, or LoadBalancer from a remote client.
  • The control plane runs on an SSH-administered VM with no browser on the host.
  • KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false is set (see https://kuma.io/docs/latest/production/secure-deployment/api-server-auth/).
  • KUMA_API_SERVER_CORS_ALLOWED_DOMAINS is set to an explicit allowlist that excludes attacker origins.

Mitigation

  1. Set KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false after retrieving the admin token.
  2. Set KUMA_API_SERVER_CORS_ALLOWED_DOMAINS to an explicit allowlist, for example http://localhost:5681,http://127.0.0.1:5681.
  3. Do not run kuma-cp on a machine where you browse untrusted sites.

Fix

Fixed in #16416, backported to all supported release branches (#16423, #16424, #16425, #16426, #16427).

Changes in patched versions:

  • CorsAllowedDomains default changed from [".*"] to [] - CORS is now opt-in; set the env var explicitly if you need GUI access.
  • LocalhostIsAdmin hardened: now requires direct loopback RemoteAddr and Host, and rejects requests carrying proxy-hop headers (X-Forwarded-For), cross-site fetch metadata (Sec-Fetch-Site), or a non-localhost Origin.

Upgrade to a patched version:

  • 2.7.25
  • 2.9.15
  • 2.11.13
  • 2.12.10
  • 2.13.5

Credits

Reported by eldudareeno.

CVSS

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N = 5.1 Medium.

AnalysisAI

Kuma Control Plane with default configuration leaks admin bootstrap tokens and signing keys to any website an operator visits if the control plane is reachable from their browser. The vulnerability combines default CORS settings allowing all origins (CorsAllowedDomains: [".*"]) with LocalhostIsAdmin: true, which grants admin privileges to any request from 127.0.0.1 without validating whether it originates from a trusted same-origin context. An attacker's JavaScript on a visited webpage can cross-origin fetch the admin token and cryptographic material via browser requests to localhost:5681. This is not actively exploited in the wild but represents a realistic threat in developer and testing environments where control planes run on workstations with web browsers.

Technical ContextAI

Kuma is a Kubernetes-native service mesh control plane written in Go. The vulnerability stems from overly permissive defaults in the API server's CORS (Cross-Origin Resource Sharing) and authentication layers. The CORS configuration CorsAllowedDomains: [".*"] matches any Origin header via regex, causing the API server to reflect wildcard CORS headers in responses, bypassing browser Same-Origin Policy protections. Simultaneously, the LocalhostIsAdmin authenticator in pkg/api-server/authn/localhost.go originally granted admin privileges to any HTTP request with RemoteAddr of 127.0.0.1 or ::1, without validating whether the request originated from a trusted localhost webpage or was injected by cross-origin JavaScript. When a browser on the same machine (e.g., developer laptop, Docker host with --network host, or kubectl port-forward session) visits an attacker-controlled page, that page's JavaScript can use fetch() to reach the locally-exposed API server. The combination of CORS bypass and localhost-source-based privilege escalation allows credential theft without any user action beyond visiting a malicious site. The root cause is CWE-346 (Origin Validation Error) - the application fails to validate request origins before granting admin access.

RemediationAI

Immediately upgrade Kuma Control Plane to a patched version: 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5+. Consult GitHub advisory https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2 for release notes. If upgrade is not immediately possible, apply compensating controls: Set environment variable KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false after retrieving the initial admin bootstrap token via direct loopback or out-of-band mechanism; this removes the automatic localhost privilege escalation. Additionally, set KUMA_API_SERVER_CORS_ALLOWED_DOMAINS to an explicit allowlist (e.g., http://localhost:5681,http://127.0.0.1:5681 for local GUI access) or empty list if CORS is not needed; do not rely on regex patterns. As a third control, administratively restrict control-plane network access to exclude web-browsing hosts - run kuma-cp on dedicated management VMs or SSH-administered systems where no web browser is installed, rather than on developer workstations. These mitigations carry trade-offs: disabling LocalhostIsAdmin requires token-based authentication via kumactl for initial setup; explicit CORS allowlisting requires knowledge of all GUI origins and breaks dynamic reverse-proxy deployments; and host isolation reduces operational convenience for local testing.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-45021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy