CVE-2026-41184
Calico CNI ServiceAccount Token Exposure via Logs
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Tigera, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tigera | calico | 3.33.0 |
| tigera | calico | 3.32 |
| tigera | calico | 3.31 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41184 is a vulnerability in the Calico CNI plugin where the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging. This exposes the token to any authenticated user with pods/log permission in the namespace containing calico-node.
The exposed token grants patch privileges on pods/status, which can be exploited to perform annotation-based attacks against cluster workloads. This vulnerability is a regression of a previous issue (TTA-2018-001).
The vulnerability was addressed by sanitizing log outputs to prevent sensitive configuration data, including tokens, from being logged during installation and configuration processes.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of Kubernetes ServiceAccount bearer tokens in logs accessible to any authenticated user with pods/log permission in the affected namespace.
Since the token holds patch privileges on pods/status, an attacker could use it to modify pod annotations, potentially enabling further attacks against cluster workloads.
Such unauthorized access and modification can compromise the integrity and security of the Kubernetes cluster workloads.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the exposure of Kubernetes ServiceAccount bearer tokens in the logs of the Calico install-cni init container. Detection involves checking logs for leaked tokens or sensitive CNI configuration data.
You can inspect the logs of the calico-node pods for any presence of Kubernetes ServiceAccount tokens or full CNI configuration data that should not be logged.
- Run the command to get logs from calico-node pods: kubectl logs -n <namespace> -l k8s-app=calico-node
- Search logs for bearer tokens or suspicious token-like strings: kubectl logs -n <namespace> -l k8s-app=calico-node | grep -E 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9'
- Check for any logs containing full CNI configuration JSON or sensitive data that should not be present.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Calico CNI plugin to a fixed version where logging of sensitive CNI configuration data and tokens has been removed or sanitized.
Specifically, upgrade to Calico release v3.31 or later, where the fix was implemented to prevent logging of full CNI configuration contents and sensitive tokens.
Avoid using configuration templates that substitute live Kubernetes ServiceAccount tokens in logs.
Review and restrict pod/log permissions in namespaces running calico-node to limit exposure.