CVE-2026-6720
Deferred Deferred - Pending Action
calicoctl Credential Exposure via Verbose Logging

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Tigera, Inc.

Description
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster β€” inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream β€” CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl β€” can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-6720
EUVD
EUVD-2026-32932
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
tigera calicoctl 3.31.6
tigera calicoctl 3.32
tigera calicoctl 3.33.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the calicoctl tool when it is run with verbose logging levels such as --log-level=info or --log-level=debug. In these modes, calicoctl logs the entire contents of its connection-configuration struct to stderr in a single line. This struct contains sensitive credentials including inline kubeconfig with bearer tokens, Kubernetes API bearer tokens, etcd passwords, and PEM-encoded etcd client certificates and keys.

Because these credentials are printed in logs, anyone who can read the stderr outputβ€”such as through CI job logs, session recordings, support ticket transcripts, or local filesystem accessβ€”can extract these sensitive credentials without needing any Kubernetes privileges. The default log level is panic, so this exposure only happens when verbose logging is explicitly enabled.

Compliance Impact

This vulnerability causes sensitive credentials such as Kubernetes API tokens, etcd passwords, and client certificates to be logged in plaintext when verbose logging is enabled. Such exposure of sensitive authentication data in logs can lead to unauthorized access and potential data breaches.

Exposure of sensitive credentials in logs can violate compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and access controls to prevent unauthorized disclosure.

By leaking credentials in logs accessible to CI jobs, session recordings, support tickets, or local filesystem viewers, this vulnerability increases the risk of non-compliance with these regulations due to inadequate protection of sensitive information.

The vulnerability was fixed by modifying the logging behavior to exclude sensitive fields and only indicate the presence of credentials without revealing their values, thereby reducing the risk of credential leakage and helping maintain compliance.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive credentials used by calicoctl to communicate with the Kubernetes cluster and etcd datastore. Exposure of these credentials can allow attackers or unauthorized users to gain access to the cluster or etcd data, potentially leading to security breaches.

Since the credentials are exposed in logs or stderr output, any user or system with access to these logs can extract tokens, passwords, and certificates without needing Kubernetes privileges, increasing the risk of compromise.

Detection Guidance

This vulnerability can be detected by checking if the calicoctl tool is being run with verbose logging enabled, specifically with the --log-level=info or --log-level=debug flags.

You can inspect logs or stderr outputs from calicoctl for the presence of sensitive credential information such as Kubernetes API bearer tokens, inline kubeconfig content, etcd passwords, or PEM-encoded etcd client certificates and keys.

Commands to help detect this might include searching logs or stderr outputs for known sensitive patterns or keywords related to these credentials.

  • grep -i -E 'bearer|token|kubeconfig|etcd|password|cert|key' /path/to/calicoctl/logs
  • journalctl -u calicoctl | grep -i -E 'bearer|token|kubeconfig|etcd|password|cert|key'
  • Check stderr output if running calicoctl manually with verbose logging enabled: calicoctl --log-level=info 2>&1 | tee calicoctl_verbose.log
Mitigation Strategies

To mitigate this vulnerability, avoid running calicoctl with the --log-level=info or --log-level=debug flags, as these cause sensitive credentials to be logged.

Upgrade calicoctl to a fixed version where the logging behavior has been modified to exclude sensitive credential information. The fix is included starting from Calico v3.31.6, v3.32, and v3.33.0 releases.

Ensure that logs and any stored stderr outputs from calicoctl are reviewed and sanitized to remove any exposed credentials.

Implement strict access controls on logs and CI job outputs to prevent unauthorized access to any sensitive information that may have been previously logged.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart