Skip to main content

Kuma kuma-dp CVE-2026-52724

MEDIUM
Improper Certificate Validation (CWE-295)
2026-07-16 https://github.com/kumahq/kuma GHSA-wvmp-6r4v-j6cv
Share

Severity by source

vuln.today AI
9.0 CRITICAL

On-path MitM requires AC:H; no auth needed for attacker (PR:N); proxy takeover impacts services beyond the vulnerable component (S:C) with full C/I/A.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 20:37 vuln.today
Analysis Generated
Jul 16, 2026 - 20:37 vuln.today

DescriptionCVE.org

When kuma-dp is started against an HTTPS control plane and the operator did not pass a CA certificate, the data plane connects with TLS peer verification disabled. The dataplane authentication token is sent over this unverified connection

Impact

An on-path attacker can intercept the dataplane authentication token and impersonate the control plane to the data plane, allowing them to inject a forged bootstrap configuration and take over the proxy

Affected configurations

  • Universal mode kuma-dp started against an HTTPS control plane without --ca-cert-file (or KUMA_CONTROL_PLANE_CA_CERT unset)

Not affected

  • Kubernetes installs done through the standard installers (kumactl install control-plane or the official Helm chart). In both cases the control plane's mutating admission webhook injects KUMA_CONTROL_PLANE_CA_CERT into every sidecar at pod admission, so each kuma-dp starts with the CA already configured

Workarounds

Set --ca-cert-file (or KUMA_CONTROL_PLANE_CA_CERT) on every Universal mode data plane and point it at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration

Resources

  • Fix: https://github.com/kumahq/kuma/pull/16777

AnalysisAI

TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain on-path network position
Delivery
Intercept kuma-dp TLS handshake (no cert validation)
Exploit
Capture dataplane authentication token
Execution
Impersonate control plane to kuma-dp
Persist
Inject forged Envoy bootstrap configuration
Impact
Take over proxy and manipulate mesh traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: kuma-dp must be operating in Universal mode (not Kubernetes mode), the HTTPS control plane URL must be configured without a corresponding CA certificate (--ca-cert-file flag absent and KUMA_CONTROL_PLANE_CA_CERT environment variable unset), and the attacker must hold an on-path network position between the data plane host and the control plane host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is meaningful for Universal mode deployments but is naturally constrained by the requirement for on-path network positioning (CWE-295, CVSS AC:H analog), which significantly limits opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with on-path network access between a Universal mode kuma-dp instance and the HTTPS control plane - for example, via ARP spoofing on a shared network segment or BGP hijack - intercepts the TLS handshake where kuma-dp presents no certificate validation. The attacker captures the transmitted dataplane authentication token, then presents a forged control plane identity to kuma-dp and delivers a malicious Envoy bootstrap configuration. …
Remediation Upgrade kuma-dp to one of the vendor-released patched versions: 2.7.26 (for 2.7.x branch), 2.9.16 (for 2.8.x/2.9.x branch), 2.11.14 (for 2.10.x/2.11.x branch), or 2.12.11 (for 2.12.x branch), per the GitHub security advisory at https://github.com/kumahq/kuma/security/advisories/GHSA-wvmp-6r4v-j6cv. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-52724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy