CVE-2026-6720

HIGH EPSS 12.9%
Published May 28, 20261mo ago · Modified Jun 17, 20262w ago
7.2 CVSS 4.0
High
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

CVSS Details

Base Score
7.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
12.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-532

References 4

  • github.com https://github.com/projectcalico/calico/pull/12535
  • github.com https://github.com/projectcalico/calico/pull/12536
  • github.com https://github.com/projectcalico/calico/pull/12537
  • tigera.io https://www.tigera.io/security-bulletins/tta-2026-003/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.