CVE-2026-45021

MEDIUM EPSS 10.4%
Published May 28, 20261mo ago · Modified Jun 17, 20262w ago
5.1 CVSS 4.0
Medium
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
10.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-346
CWE-942

References 8

  • github.com https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907
  • github.com https://github.com/kumahq/kuma/pull/16416
  • github.com https://github.com/kumahq/kuma/pull/16423
  • github.com https://github.com/kumahq/kuma/pull/16424
  • github.com https://github.com/kumahq/kuma/pull/16425
  • github.com https://github.com/kumahq/kuma/pull/16426
  • github.com https://github.com/kumahq/kuma/pull/16427
  • github.com https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.