Search
Find a vulnerability
Search criteria
6 vulnerabilities found for tilt by tilt-dev
CVE-2026-55884 (GCVE-0-2026-55884)
Vulnerability from nvd – Published: 2026-07-10 21:36 – Updated: 2026-07-10 21:36
VLAI
EPSS
VEX
Title
Tilt: Missing authentication on the network-exposed Tilt HUD server
Summary
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
Severity
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/tilt-dev/tilt/security/advisor… | x_refsource_CONFIRM |
| https://github.com/tilt-dev/tilt/pull/6776 | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/commit/47393fba7… | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/releases/tag/v0.37.4 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "tilt",
"vendor": "tilt-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.20.8, \u003c 0.37.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:36:18.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm"
},
{
"name": "https://github.com/tilt-dev/tilt/pull/6776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/pull/6776"
},
{
"name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
},
{
"name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
}
],
"source": {
"advisory": "GHSA-c73q-8xxr-rgqm",
"discovery": "UNKNOWN"
},
"title": "Tilt: Missing authentication on the network-exposed Tilt HUD server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55884",
"datePublished": "2026-07-10T21:36:18.861Z",
"dateReserved": "2026-06-17T16:59:42.759Z",
"dateUpdated": "2026-07-10T21:36:18.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55883 (GCVE-0-2026-55883)
Vulnerability from nvd – Published: 2026-07-10 21:38 – Updated: 2026-07-10 21:38
VLAI
EPSS
VEX
Title
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
Summary
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.
Severity
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/tilt-dev/tilt/security/advisor… | x_refsource_CONFIRM |
| https://github.com/tilt-dev/tilt/pull/6776 | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/commit/47393fba7… | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/releases/tag/v0.37.4 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "tilt",
"vendor": "tilt-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.24.0, \u003c 0.37.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:38:18.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx"
},
{
"name": "https://github.com/tilt-dev/tilt/pull/6776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/pull/6776"
},
{
"name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
},
{
"name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
}
],
"source": {
"advisory": "GHSA-6m68-r693-78qx",
"discovery": "UNKNOWN"
},
"title": "Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55883",
"datePublished": "2026-07-10T21:38:18.081Z",
"dateReserved": "2026-06-17T16:59:42.759Z",
"dateUpdated": "2026-07-10T21:38:18.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55882 (GCVE-0-2026-55882)
Vulnerability from nvd – Published: 2026-07-10 21:37 – Updated: 2026-07-10 21:37
VLAI
EPSS
VEX
Title
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
Summary
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/tilt-dev/tilt/security/advisor… | x_refsource_CONFIRM |
| https://github.com/tilt-dev/tilt/pull/6776 | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/commit/47393fba7… | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/releases/tag/v0.37.4 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "tilt",
"vendor": "tilt-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.19.5, \u003c 0.37.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:37:12.245Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533"
},
{
"name": "https://github.com/tilt-dev/tilt/pull/6776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/pull/6776"
},
{
"name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
},
{
"name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
}
],
"source": {
"advisory": "GHSA-p749-9w62-w533",
"discovery": "UNKNOWN"
},
"title": "Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55882",
"datePublished": "2026-07-10T21:37:12.245Z",
"dateReserved": "2026-06-17T16:59:42.759Z",
"dateUpdated": "2026-07-10T21:37:12.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55883 (GCVE-0-2026-55883)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:38 – Updated: 2026-07-10 21:38
VLAI
EPSS
VEX
Title
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
Summary
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.
Severity
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/tilt-dev/tilt/security/advisor… | x_refsource_CONFIRM |
| https://github.com/tilt-dev/tilt/pull/6776 | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/commit/47393fba7… | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/releases/tag/v0.37.4 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "tilt",
"vendor": "tilt-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.24.0, \u003c 0.37.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:38:18.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx"
},
{
"name": "https://github.com/tilt-dev/tilt/pull/6776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/pull/6776"
},
{
"name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
},
{
"name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
}
],
"source": {
"advisory": "GHSA-6m68-r693-78qx",
"discovery": "UNKNOWN"
},
"title": "Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55883",
"datePublished": "2026-07-10T21:38:18.081Z",
"dateReserved": "2026-06-17T16:59:42.759Z",
"dateUpdated": "2026-07-10T21:38:18.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55882 (GCVE-0-2026-55882)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:37 – Updated: 2026-07-10 21:37
VLAI
EPSS
VEX
Title
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
Summary
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/tilt-dev/tilt/security/advisor… | x_refsource_CONFIRM |
| https://github.com/tilt-dev/tilt/pull/6776 | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/commit/47393fba7… | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/releases/tag/v0.37.4 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "tilt",
"vendor": "tilt-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.19.5, \u003c 0.37.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:37:12.245Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533"
},
{
"name": "https://github.com/tilt-dev/tilt/pull/6776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/pull/6776"
},
{
"name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
},
{
"name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
}
],
"source": {
"advisory": "GHSA-p749-9w62-w533",
"discovery": "UNKNOWN"
},
"title": "Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55882",
"datePublished": "2026-07-10T21:37:12.245Z",
"dateReserved": "2026-06-17T16:59:42.759Z",
"dateUpdated": "2026-07-10T21:37:12.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55884 (GCVE-0-2026-55884)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:36 – Updated: 2026-07-10 21:36
VLAI
EPSS
VEX
Title
Tilt: Missing authentication on the network-exposed Tilt HUD server
Summary
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
Severity
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/tilt-dev/tilt/security/advisor… | x_refsource_CONFIRM |
| https://github.com/tilt-dev/tilt/pull/6776 | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/commit/47393fba7… | x_refsource_MISC |
| https://github.com/tilt-dev/tilt/releases/tag/v0.37.4 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "tilt",
"vendor": "tilt-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.20.8, \u003c 0.37.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:36:18.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm"
},
{
"name": "https://github.com/tilt-dev/tilt/pull/6776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/pull/6776"
},
{
"name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
},
{
"name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
}
],
"source": {
"advisory": "GHSA-c73q-8xxr-rgqm",
"discovery": "UNKNOWN"
},
"title": "Tilt: Missing authentication on the network-exposed Tilt HUD server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55884",
"datePublished": "2026-07-10T21:36:18.861Z",
"dateReserved": "2026-06-17T16:59:42.759Z",
"dateUpdated": "2026-07-10T21:36:18.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}