Search criteria
1 vulnerability by kumahq
CVE-2026-45021 (GCVE-0-2026-45021)
Vulnerability from cvelistv5 – Published: 2026-05-28 17:45 – Updated: 2026-05-28 19:30
VLAI
Title
Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
Severity
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/kumahq/kuma/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/kumahq/kuma/pull/16416 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16423 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16424 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16425 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16426 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16427 | x_refsource_MISC |
| https://github.com/kumahq/kuma/commit/8fefa8595d4… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:30:17.834875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:30:33.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kuma",
"vendor": "kumahq",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.25"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.15"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.13"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.10"
},
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [\".*\"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:45:14.434Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2"
},
{
"name": "https://github.com/kumahq/kuma/pull/16416",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16416"
},
{
"name": "https://github.com/kumahq/kuma/pull/16423",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16423"
},
{
"name": "https://github.com/kumahq/kuma/pull/16424",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16424"
},
{
"name": "https://github.com/kumahq/kuma/pull/16425",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16425"
},
{
"name": "https://github.com/kumahq/kuma/pull/16426",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16426"
},
{
"name": "https://github.com/kumahq/kuma/pull/16427",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16427"
},
{
"name": "https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907"
}
],
"source": {
"advisory": "GHSA-3vcp-chfh-f6r2",
"discovery": "UNKNOWN"
},
"title": "Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45021",
"datePublished": "2026-05-28T17:45:14.434Z",
"dateReserved": "2026-05-08T16:58:28.896Z",
"dateUpdated": "2026-05-28T19:30:33.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}