CVE-2026-55882
Received Received - Intake

Memory Exposure via Debug Endpoints in Tilt

Vulnerability report for CVE-2026-55882, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tilt tilt From 0.19.5 (inc) to 0.37.3 (inc)
tilt tilt 0.37.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Tilt versions 0.19.5 through 0.37.3, where the Tilt HUD server mounts Go net/http/pprof handlers under the /debug path without any access control.

If the HUD or apiserver listener is exposed to a network, an unauthenticated attacker can access endpoints like /debug/pprof/heap and /debug/pprof/goroutine to read process memory, which may include sensitive information such as session and apiserver tokens.

Additionally, the attacker can degrade system performance by accessing /debug/pprof/profile or /debug/pprof/trace.

This issue was fixed in version 0.37.4.

Impact Analysis

An attacker can exploit this vulnerability to read sensitive process memory, potentially exposing session and apiserver tokens, which could lead to unauthorized access.

Furthermore, the attacker can degrade the performance of the affected system by triggering resource-intensive profiling endpoints.

Detection Guidance

This vulnerability involves the Tilt HUD server exposing Go net/http/pprof handlers under /debug without access control. To detect it, you can check if the Tilt HUD server or apiserver listener is network-exposed and if the /debug/pprof endpoints are accessible without authentication.

You can attempt to access the following URLs on the Tilt server to verify exposure:

  • http://<tilt-server-address>/debug/pprof/heap
  • http://<tilt-server-address>/debug/pprof/goroutine
  • http://<tilt-server-address>/debug/pprof/profile
  • http://<tilt-server-address>/debug/pprof/trace

If these endpoints are accessible without authentication, the vulnerability is present.

You can use command-line tools like curl or wget to test access, for example:

  • curl -I http://<tilt-server-address>/debug/pprof/heap
  • curl -I http://<tilt-server-address>/debug/pprof/goroutine
Mitigation Strategies

The vulnerability is fixed in Tilt version 0.37.4. The immediate mitigation step is to upgrade your Tilt installation to version 0.37.4 or later.

Until you can upgrade, ensure that the Tilt HUD server and apiserver listener are not network-exposed or restrict access to the /debug/pprof endpoints using network controls or firewall rules to prevent unauthenticated access.

Compliance Impact

This vulnerability allows unauthenticated attackers to read process memory, including session and apiserver tokens, which could lead to unauthorized access to sensitive information.

Such unauthorized access and potential exposure of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

Additionally, the ability to degrade performance may affect system availability, which is also a consideration in regulatory compliance frameworks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55882. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart