Skip to main content

Calico calicoctl EUVDEUVD-2026-32932

| CVE-2026-6720 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-28 Tigera GHSA-3m4q-ggcj-j6m4
7.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 28, 2026 - 17:23 vuln.today
Analysis Generated
May 28, 2026 - 17:23 vuln.today
CVSS changed
May 28, 2026 - 17:22 NVD
7.2 (HIGH)

DescriptionCVE.org

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster - inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream - CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl - can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

AnalysisAI

Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.

Technical ContextAI

Calico is a widely deployed Kubernetes networking and network-policy engine maintained by Tigera; calicoctl is its administrative CLI which loads a CalicoAPIConfig struct containing both etcdv3 and Kubernetes datastore credentials. The root cause is a classic CWE-532 (Insertion of Sensitive Information into Log File): the previous code at calicoctl/commands/clientmgr/client.go used log.Infof("Loaded client config: %#v", cfg.Spec), where Go's %#v verb reflectively prints every struct field - including KubeconfigInline, K8sAPIToken, EtcdPassword, EtcdKey, and EtcdCert. The upstream fix (PRs 12535/12536/12537) replaces the dump with a structured log that emits only non-sensitive metadata and boolean *Set flags indicating whether each credential is populated, never the value itself.

RemediationAI

Upstream fix available (PRs https://github.com/projectcalico/calico/pull/12535, /12536, and /12537); a released patched version is not independently confirmed in the provided data, so consult the Tigera bulletin at https://www.tigera.io/security-bulletins/tta-2026-003/ for the exact fixed calicoctl build for Calico OSS, Calico Enterprise, and Calico Cloud and upgrade accordingly. As an immediate workaround, leave calicoctl at its default --log-level=panic and forbid info/debug logging in automation; if verbose logging is needed for troubleshooting, run calicoctl on an isolated workstation, capture stderr to a private file rather than CI output or screen-recorded sessions, and rotate any kubeconfig bearer tokens, K8sAPIToken values, etcd passwords, and etcd client cert/key pairs that may already have been written to historical logs, ticket attachments, or backup archives. Note the trade-off: suppressing verbose logging removes a debugging tool, and credential rotation in etcd-backed Calico deployments requires updating every Calico component that consumes the datastore credential.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

EUVD-2026-32932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy