Executive Summary

CVE-2026-41184 is a vulnerability in the Calico CNI plugin where the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging. This exposes the token to any authenticated user with pods/log permission in the namespace containing calico-node.

The exposed token grants patch privileges on pods/status, which can be exploited to perform annotation-based attacks against cluster workloads. This vulnerability is a regression of a previous issue (TTA-2018-001).

The vulnerability was addressed by sanitizing log outputs to prevent sensitive configuration data, including tokens, from being logged during installation and configuration processes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of Kubernetes ServiceAccount bearer tokens in logs accessible to any authenticated user with pods/log permission in the affected namespace.

Since the token holds patch privileges on pods/status, an attacker could use it to modify pod annotations, potentially enabling further attacks against cluster workloads.

Such unauthorized access and modification can compromise the integrity and security of the Kubernetes cluster workloads.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the exposure of Kubernetes ServiceAccount bearer tokens in the logs of the Calico install-cni init container. Detection involves checking logs for leaked tokens or sensitive CNI configuration data.

You can inspect the logs of the calico-node pods for any presence of Kubernetes ServiceAccount tokens or full CNI configuration data that should not be logged.

• Run the command to get logs from calico-node pods: kubectl logs -n <namespace> -l k8s-app=calico-node
• Search logs for bearer tokens or suspicious token-like strings: kubectl logs -n <namespace> -l k8s-app=calico-node | grep -E 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9'
• Check for any logs containing full CNI configuration JSON or sensitive data that should not be present.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the Calico CNI plugin to a fixed version where logging of sensitive CNI configuration data and tokens has been removed or sanitized.

Specifically, upgrade to Calico release v3.31 or later, where the fix was implemented to prevent logging of full CNI configuration contents and sensitive tokens.

Avoid using configuration templates that substitute live Kubernetes ServiceAccount tokens in logs.

Review and restrict pod/log permissions in namespaces running calico-node to limit exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Calico exposes Kubernetes ServiceAccount bearer tokens in logs, which can be accessed by any authenticated user with pods/log permission in the affected namespace. This exposure of sensitive authentication tokens could lead to unauthorized access and manipulation of cluster workloads.

Such exposure of sensitive credentials and potential unauthorized access can negatively impact compliance with common security and privacy standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

The security updates in Calico aim to prevent sensitive information leakage in logs by sanitizing log outputs and removing full configuration payloads from logs, thereby reducing the risk of exposing credentials or sensitive data and helping to maintain compliance with these standards.

Useful 0 Not Useful 0