CVE-2026-25538
Unknown Unknown - Not Provided
JWT Forgery via API Token Leak in Devtron Attributes API

Publication date: 2026-02-04

Last updated on: 2026-02-11

Assigner: GitHub, Inc.

Description
Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25538
EUVD
EUVD-2026-5332
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devtron devtron to 2.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Devtron, an open source tool integration platform for Kubernetes, specifically in versions 2.0.0 and prior. It affects the Attributes API interface, where any authenticated user, including those with low privileges such as CI/CD Developers, can access the /orchestrator/attributes?key=apiTokenSecret endpoint to obtain the global API Token signing key.

With this key, an attacker can forge JWT tokens for arbitrary user identities offline, which allows them to gain complete control over the Devtron platform and potentially move laterally to the underlying Kubernetes cluster.

This vulnerability has been patched in a later commit (d2b0d26).

Impact Analysis

If exploited, this vulnerability allows an attacker to gain complete control over the Devtron platform by forging JWT tokens for any user identity.

This control can lead to unauthorized actions within the platform and enable lateral movement to the underlying Kubernetes cluster, potentially compromising the entire cluster and its workloads.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Devtron to a version that includes the patch applied in commit d2b0d26.

This patch fixes the issue in the Attributes API interface that allowed authenticated users to obtain the global API Token signing key.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25538. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart