Kuma kumactl CVE-2026-50166
MEDIUMSeverity by source
AV:N because MITM can span any network hop; AC:H for required MITM positioning; UI:R because operator must invoke kumactl; C:H and I:H for full token-mediated control plane access; A:N as no availability impact.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
When an operator adds an HTTPS control plane profile to kumactl without providing a CA certificate, kumactl disables TLS verification and sends API tokens over the unverified connection
Impact
An attacker on the network path between the operator and the control plane can intercept user or admin API tokens and then act against the control plane as that user
Affected configurations
kumactlprofiles manually added against an HTTPS control plane endpoint without--ca-cert-file
Not affected
- The default local profile, which uses plain HTTP
Workarounds
When adding an HTTPS control plane profile to kumactl, always pass --ca-cert-file pointing at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration
Resources
- Fix: https://github.com/kumahq/kuma/pull/16777
AnalysisAI
TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous conditions: (1) the targeted operator must have added an HTTPS control plane profile to kumactl without the --ca-cert-file flag, which causes kumactl to set InsecureSkipVerify=true silently rather than validating the server certificate; (2) the attacker must occupy a man-in-the-middle network position on the path between the operator's machine and the control plane API server at the time kumactl is invoked. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score was assigned; the assessment below is independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a foothold on a network segment between an operator's workstation and the Kuma control plane (e.g., a compromised router, ARP poisoning on a cloud VPC, or a rogue Wi-Fi access point) intercepts HTTPS traffic destined for the control plane. Because kumactl has disabled TLS verification, the attacker presents a self-signed certificate that kumactl accepts without complaint, completing the MITM. … |
| Remediation | Upgrade to a patched release: 2.7.26, 2.9.16, 2.11.14, or 2.12.11 depending on the active minor branch, as documented in GHSA-v95x-xhq5-4929 (https://github.com/kumahq/kuma/security/advisories/GHSA-v95x-xhq5-4929). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v95x-xhq5-4929