Skip to main content

Kuma kumactl CVE-2026-50166

MEDIUM
Improper Certificate Validation (CWE-295)
2026-07-16 https://github.com/kumahq/kuma GHSA-v95x-xhq5-4929
Share

Severity by source

vuln.today AI
6.8 MEDIUM

AV:N because MITM can span any network hop; AC:H for required MITM positioning; UI:R because operator must invoke kumactl; C:H and I:H for full token-mediated control plane access; A:N as no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 19:31 vuln.today
Analysis Generated
Jul 16, 2026 - 19:31 vuln.today

DescriptionCVE.org

When an operator adds an HTTPS control plane profile to kumactl without providing a CA certificate, kumactl disables TLS verification and sends API tokens over the unverified connection

Impact

An attacker on the network path between the operator and the control plane can intercept user or admin API tokens and then act against the control plane as that user

Affected configurations

  • kumactl profiles manually added against an HTTPS control plane endpoint without --ca-cert-file

Not affected

  • The default local profile, which uses plain HTTP

Workarounds

When adding an HTTPS control plane profile to kumactl, always pass --ca-cert-file pointing at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration

Resources

  • Fix: https://github.com/kumahq/kuma/pull/16777

AnalysisAI

TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attain MITM on operator's network path
Delivery
Intercept HTTPS kumactl request (TLS not verified)
Exploit
Extract Bearer API token from Authorization header
Execution
Replay token to control plane API
Impact
Issue privileged control plane commands

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the targeted operator must have added an HTTPS control plane profile to kumactl without the --ca-cert-file flag, which causes kumactl to set InsecureSkipVerify=true silently rather than validating the server certificate; (2) the attacker must occupy a man-in-the-middle network position on the path between the operator's machine and the control plane API server at the time kumactl is invoked. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score was assigned; the assessment below is independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a foothold on a network segment between an operator's workstation and the Kuma control plane (e.g., a compromised router, ARP poisoning on a cloud VPC, or a rogue Wi-Fi access point) intercepts HTTPS traffic destined for the control plane. Because kumactl has disabled TLS verification, the attacker presents a self-signed certificate that kumactl accepts without complaint, completing the MITM. …
Remediation Upgrade to a patched release: 2.7.26, 2.9.16, 2.11.14, or 2.12.11 depending on the active minor branch, as documented in GHSA-v95x-xhq5-4929 (https://github.com/kumahq/kuma/security/advisories/GHSA-v95x-xhq5-4929). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy