Kuma kuma-dp CVE-2026-52724
MEDIUMSeverity by source
On-path MitM requires AC:H; no auth needed for attacker (PR:N); proxy takeover impacts services beyond the vulnerable component (S:C) with full C/I/A.
Lifecycle Timeline
2DescriptionCVE.org
When kuma-dp is started against an HTTPS control plane and the operator did not pass a CA certificate, the data plane connects with TLS peer verification disabled. The dataplane authentication token is sent over this unverified connection
Impact
An on-path attacker can intercept the dataplane authentication token and impersonate the control plane to the data plane, allowing them to inject a forged bootstrap configuration and take over the proxy
Affected configurations
- Universal mode
kuma-dpstarted against an HTTPS control plane without--ca-cert-file(orKUMA_CONTROL_PLANE_CA_CERTunset)
Not affected
- Kubernetes installs done through the standard installers (
kumactl install control-planeor the official Helm chart). In both cases the control plane's mutating admission webhook injectsKUMA_CONTROL_PLANE_CA_CERTinto every sidecar at pod admission, so eachkuma-dpstarts with the CA already configured
Workarounds
Set --ca-cert-file (or KUMA_CONTROL_PLANE_CA_CERT) on every Universal mode data plane and point it at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration
Resources
- Fix: https://github.com/kumahq/kuma/pull/16777
AnalysisAI
TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: kuma-dp must be operating in Universal mode (not Kubernetes mode), the HTTPS control plane URL must be configured without a corresponding CA certificate (--ca-cert-file flag absent and KUMA_CONTROL_PLANE_CA_CERT environment variable unset), and the attacker must hold an on-path network position between the data plane host and the control plane host. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is meaningful for Universal mode deployments but is naturally constrained by the requirement for on-path network positioning (CWE-295, CVSS AC:H analog), which significantly limits opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with on-path network access between a Universal mode kuma-dp instance and the HTTPS control plane - for example, via ARP spoofing on a shared network segment or BGP hijack - intercepts the TLS handshake where kuma-dp presents no certificate validation. The attacker captures the transmitted dataplane authentication token, then presents a forged control plane identity to kuma-dp and delivers a malicious Envoy bootstrap configuration. … |
| Remediation | Upgrade kuma-dp to one of the vendor-released patched versions: 2.7.26 (for 2.7.x branch), 2.9.16 (for 2.8.x/2.9.x branch), 2.11.14 (for 2.10.x/2.11.x branch), or 2.12.11 (for 2.12.x branch), per the GitHub security advisory at https://github.com/kumahq/kuma/security/advisories/GHSA-wvmp-6r4v-j6cv. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wvmp-6r4v-j6cv