CVE-2026-45021
Information Disclosure in Kuma Control Plane
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kumahq | kuma | to 2.13.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45021 is a vulnerability in Kuma, a modern Envoy-based service mesh, where the default configuration of the Kuma control plane (kuma-cp) leaks the admin bootstrap token and signing keys to any webpage the operator visits if the control plane is reachable from their browser.
This happens because the default settings allow any origin via CORS (CorsAllowedDomains set to [".*"]) and promote requests from localhost (127.0.0.1) to admin privileges (LocalhostIsAdmin: true). A malicious webpage can exploit this by making a cross-origin fetch() request that returns the admin JWT and signing material.
The vulnerability arises from improper validation of localhost admin authentication and overly permissive CORS policies, allowing unauthorized access to sensitive admin credentials through the browser.
The issue is fixed in Kuma versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5 by restricting localhost admin access to direct loopback connections only, making CORS opt-in by default, and blocking proxy-hop headers, cross-site fetch metadata, and non-localhost Origin headers.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive admin credentials (admin bootstrap token and signing keys) if an attacker tricks the operator into visiting a malicious webpage while the Kuma control plane is accessible from their browser.
An attacker can use a cross-origin fetch() request from a malicious site to retrieve the admin JWT and signing material, potentially gaining administrative control over the Kuma service mesh.
This risk is particularly relevant in environments where kuma-cp runs locally on developer laptops, workstations with port publishing, or machines using kubectl port-forward, and the operator browses the web on the same machine.
The vulnerability does not affect remote Kubernetes clusters accessed via ClusterIP, NodePort, or LoadBalancer, nor does it affect VMs administered via SSH without a browser.
The overall impact is medium severity (CVSS score 5.1), requiring user interaction, with low impact on confidentiality and integrity but potential for privilege escalation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Kuma control plane leaking the admin bootstrap token and signing keys via default configurations that allow any Origin through CORS and promote localhost requests to admin. Detection involves checking if your Kuma control plane is running a vulnerable version prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5, and if the default configuration settings are in place (CorsAllowedDomains set to [".*"] and LocalhostIsAdmin set to true).
To detect exploitation attempts or presence of the vulnerability, you can monitor HTTP requests to the Kuma control plane API server for suspicious cross-origin requests or requests with proxy-hop headers (e.g., X-Forwarded-For) or non-localhost Origin headers that should be blocked.
Suggested commands include using network monitoring tools like curl or browser developer tools to test if the admin token can be fetched cross-origin. For example, from a browser or command line on the same machine, you might try:
- curl -v -H "Origin: https://evil.com" http://localhost:<kuma-cp-port>/admin-token-endpoint
- Check for presence of CORS headers allowing all origins (Access-Control-Allow-Origin: *) in responses from the Kuma control plane.
- Inspect Kuma control plane configuration files or environment variables for CorsAllowedDomains and LocalhostIsAdmin settings.
Additionally, review logs for any cross-origin fetch attempts or requests with suspicious headers that should be denied under the fixed configuration.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Kuma control plane to a fixed version: 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5, which contain the security hardening fixes.
If updating immediately is not possible, apply the following configuration changes:
- Set LocalhostIsAdmin to false by configuring the environment variable KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false to disable automatic localhost admin privileges.
- Restrict CORS domains explicitly by setting CorsAllowedDomains to an empty list or a strict allowlist instead of the default permissive [".*"] setting.
- Avoid running the Kuma control plane on machines used for browsing untrusted websites or developer laptops with Docker in host network mode or kubectl port-forwarding that expose the control plane to the browser.
For users relying on localhost admin for initial setup, switch to token-based authentication using the --auth-type=tokens option or ensure direct loopback access without proxy headers.
Review and apply the security hardening changes described in the official Kuma upgrade and security advisories to ensure proper validation of RemoteAddr, Host headers, and blocking of proxy-hop headers and non-localhost Origin headers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Kuma's default configuration leaks admin bootstrap tokens and signing keys to any webpage the operator visits when the control plane is reachable from their browser. This leakage of sensitive authentication material could lead to unauthorized administrative access, potentially compromising the confidentiality and integrity of the system.
Such unauthorized access and data leakage could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and administrative privileges to protect personal and health information.
Mitigations include disabling the permissive localhost admin access, restricting CORS domains to explicit allowlists, and avoiding running the control plane on machines used for browsing untrusted sites. These measures help reduce the risk of unauthorized access and data exposure, supporting compliance efforts.