Skip to main content

Kubernetes EUVDEUVD-2026-11730

| CVE-2026-32598 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-03-13 security-advisories@github.com GHSA-4524-cj9j-g4fj
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 20:00 euvd
EUVD-2026-11730
Analysis Generated
Mar 13, 2026 - 20:00 vuln.today
CVE Published
Mar 13, 2026 - 19:55 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL - containing the plaintext reset token - at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.

AnalysisAI

OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.

Technical ContextAI

This vulnerability is rooted in CWE-532 (Insertion of Sensitive Information into Log File), a common but critical weakness in application logging practices. OneUptime, a monitoring and online service management platform, implements a password reset mechanism that generates time-limited reset tokens and constructs a password reset URL containing this token in plaintext. The application logs this complete URL at INFO severity level during the reset flow execution. Since INFO-level logging is enabled by default in production deployments, the sensitive reset token persists in multiple log storage layers: in-container Docker logs accessible via the Docker daemon, Kubernetes pod logs stored in kubelet's log directory and accessible through kubectl commands, and centralized log aggregation systems (ELK, Splunk, CloudWatch, etc.) where logs are often stored for extended periods. The vulnerability affects OneUptime prior to version 10.0.24 (CPE: cpe:2.3:a:oneuptime:oneuptime). The root cause is insufficient log sanitization at the application layer combined with overly permissive log level defaults that expose security-critical data.

RemediationAI

The primary remediation is to upgrade OneUptime to version 10.0.24 or later immediately. For organizations unable to patch immediately, implement compensating controls: set the log level to WARN or ERROR (disabling INFO-level logging) in production environments to prevent the logging of sensitive reset URLs; restrict access to logs and log aggregation systems using role-based access control (RBAC) and limit log access to security teams only; rotate all existing password reset tokens by forcing a re-generation of any in-flight reset URLs; audit log retention policies and purge logs older than 7 days containing sensitive reset tokens; and implement log sanitization rules in any centralized log aggregation platform to mask or redact reset tokens and URLs matching the pattern. Monitor for signs of token extraction or unusual account access during the patching window. The vendor advisory is available at https://github.com/OneUptime/oneuptime/releases/tag/v10.0.24.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

EUVD-2026-11730 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy