CVE-2026-41185
Calico CNI Azure IPAM Plugin Logs Exposure of Kubernetes Credentials
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Tigera, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| calico | calico | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when Calico is configured with the Azure IPAM plugin. The Calico CNI binary modifies the incoming CNI configuration to add subnet information before passing it to the IPAM plugin. After this modification, the Azure IPAM helper logs the entire configuration, including sensitive data such as the ServiceAccount token, client key, and certificate authority, in plaintext at INFO level to a log file on the node.
Because these logs are written on every pod addition or deletion, any user with read access to the log file can extract these credentials, which provide cluster-wide Calico networking administrative privileges.
How can this vulnerability impact me? :
The vulnerability allows any principal with read access to the Calico CNI log file on a node to obtain sensitive Kubernetes credentials in plaintext. These credentials include the ServiceAccount token, client key, and certificate authority, which grant cluster-wide Calico networking administrative privileges.
An attacker or unauthorized user could use these credentials to control or manipulate the Calico networking components across the entire Kubernetes cluster, potentially leading to network disruption, unauthorized access, or further compromise of the cluster.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the contents of the Calico CNI log file located at /var/log/calico/cni/cni.log on each node.
Look for log entries at INFO level that contain the entire unmarshaled CNI configuration map (stdinData) during CNI ADD and DEL invocations.
Specifically, search for logs that include sensitive information such as ServiceAccount tokens, client keys, or certificate authorities in plaintext.
- Use commands like: sudo grep -i 'ServiceAccount token' /var/log/calico/cni/cni.log
- Or to broadly inspect the log for sensitive data: sudo cat /var/log/calico/cni/cni.log | less
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting read access to the /var/log/calico/cni/cni.log file to only trusted administrators.
Additionally, consider disabling or modifying the logging behavior of the Azure IPAM helper to prevent sensitive information from being logged in plaintext.
Review and tighten Kubernetes token-based authentication configurations to limit exposure if credentials are leaked.
Monitor and audit access to the log files regularly to detect unauthorized reads.