Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster - inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream - CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl - can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
AnalysisAI
Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.
Technical ContextAI
Calico is a widely deployed Kubernetes networking and network-policy engine maintained by Tigera; calicoctl is its administrative CLI which loads a CalicoAPIConfig struct containing both etcdv3 and Kubernetes datastore credentials. The root cause is a classic CWE-532 (Insertion of Sensitive Information into Log File): the previous code at calicoctl/commands/clientmgr/client.go used log.Infof("Loaded client config: %#v", cfg.Spec), where Go's %#v verb reflectively prints every struct field - including KubeconfigInline, K8sAPIToken, EtcdPassword, EtcdKey, and EtcdCert. The upstream fix (PRs 12535/12536/12537) replaces the dump with a structured log that emits only non-sensitive metadata and boolean *Set flags indicating whether each credential is populated, never the value itself.
RemediationAI
Upstream fix available (PRs https://github.com/projectcalico/calico/pull/12535, /12536, and /12537); a released patched version is not independently confirmed in the provided data, so consult the Tigera bulletin at https://www.tigera.io/security-bulletins/tta-2026-003/ for the exact fixed calicoctl build for Calico OSS, Calico Enterprise, and Calico Cloud and upgrade accordingly. As an immediate workaround, leave calicoctl at its default --log-level=panic and forbid info/debug logging in automation; if verbose logging is needed for troubleshooting, run calicoctl on an isolated workstation, capture stderr to a private file rather than CI output or screen-recorded sessions, and rotate any kubeconfig bearer tokens, K8sAPIToken values, etcd passwords, and etcd client cert/key pairs that may already have been written to historical logs, ticket attachments, or backup archives. Note the trade-off: suppressing verbose logging removes a debugging tool, and credential rotation in etcd-backed Calico deployments requires updating every Calico component that consumes the datastore credential.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32932
GHSA-3m4q-ggcj-j6m4