Skip to main content

CVE-2026-55882

HIGH
Information Exposure (CWE-200)
2026-06-19 https://github.com/tilt-dev/tilt GHSA-p749-9w62-w533
8.3
CVSS 4.0 · Vendor: https://github.com/tilt-dev/tilt
Share

Severity by source

Vendor (https://github.com/tilt-dev/tilt) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

AV:N and PR:N since unauthenticated over the network, but AC:H because exploitation depends on a non-default non-loopback bind; C:H for token leak, A:L for profiling slowdown, I:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/tilt-dev/tilt).

CVSS VectorVendor: https://github.com/tilt-dev/tilt

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 10, 2026 - 22:34 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 22:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 22:22 NVD
8.3 (HIGH)
Source Code Evidence Fetched
Jun 19, 2026 - 14:50 vuln.today
Analysis Generated
Jun 19, 2026 - 14:50 vuln.today

DescriptionCVE.org

Summary

The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory - including session and apiserver tokens - and hold the process under profiling.

Details

A blank import of net/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.

Impact

An unauthenticated caller who can reach the listener can extract process memory - including the session and apiserver tokens - and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.

Conditions for exploitation

  • Affected version in >= 0.19.5, <= 0.37.3.
  • HUD (or apiserver) listener bound to a non-loopback address (tilt up --host 0.0.0.0, or TILT_HOST set).
  • Network reachability to the listener (default port 10350).

Not affected

  • The default loopback-only bind is not reachable from the network.

Workarounds

Use the default loopback bind (omit --host, unset TILT_HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.

AnalysisAI

Sensitive information disclosure in the Tilt HUD server (Go package github.com/tilt-dev/tilt, versions >= 0.19.5 through <= 0.37.3) lets an unauthenticated network caller read live process memory via unprotected net/http/pprof endpoints mounted under /debug, harvesting the session token (Tilt-Token cookie) and the apiserver loopback bearer token, and hold the process under CPU profiling or tracing to degrade performance. Exploitation requires the HUD or apiserver listener to be bound to a non-loopback address (tilt up --host 0.0.0.0 or TILT_HOST set); the default loopback-only bind is not remotely reachable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Audit all Tilt deployments with 'tilt config' or check TILT_HOST environment variable for non-loopback bindings (0.0.0.0, etc.); immediately bind HUD/apiserver listeners to loopback (127.0.0.1 default) if bound to non-loopback. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy