Search

Find a vulnerability

Search criteria

    6 vulnerabilities by tilt-dev

    CVE-2026-55884 (GCVE-0-2026-55884)

    Vulnerability from nvd – Published: 2026-07-10 21:36 – Updated: 2026-07-10 21:36
    VLAI
    Title
    Tilt: Missing authentication on the network-exposed Tilt HUD server
    Summary
    Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    tilt-dev tilt Affected: >= 0.20.8, < 0.37.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "tilt",
              "vendor": "tilt-dev",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.20.8, \u003c 0.37.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:36:18.861Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/pull/6776",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/pull/6776"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
            }
          ],
          "source": {
            "advisory": "GHSA-c73q-8xxr-rgqm",
            "discovery": "UNKNOWN"
          },
          "title": "Tilt: Missing authentication on the network-exposed Tilt HUD server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55884",
        "datePublished": "2026-07-10T21:36:18.861Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-10T21:36:18.861Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55883 (GCVE-0-2026-55883)

    Vulnerability from nvd – Published: 2026-07-10 21:38 – Updated: 2026-07-10 21:38
    VLAI
    Title
    Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
    Summary
    Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    tilt-dev tilt Affected: >= 0.24.0, < 0.37.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "tilt",
              "vendor": "tilt-dev",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.24.0, \u003c 0.37.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:38:18.081Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/pull/6776",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/pull/6776"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
            }
          ],
          "source": {
            "advisory": "GHSA-6m68-r693-78qx",
            "discovery": "UNKNOWN"
          },
          "title": "Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55883",
        "datePublished": "2026-07-10T21:38:18.081Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-10T21:38:18.081Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55882 (GCVE-0-2026-55882)

    Vulnerability from nvd – Published: 2026-07-10 21:37 – Updated: 2026-07-10 21:37
    VLAI
    Title
    Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
    Summary
    Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4.
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    tilt-dev tilt Affected: >= 0.19.5, < 0.37.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "tilt",
              "vendor": "tilt-dev",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.19.5, \u003c 0.37.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:37:12.245Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/pull/6776",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/pull/6776"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
            }
          ],
          "source": {
            "advisory": "GHSA-p749-9w62-w533",
            "discovery": "UNKNOWN"
          },
          "title": "Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55882",
        "datePublished": "2026-07-10T21:37:12.245Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-10T21:37:12.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55883 (GCVE-0-2026-55883)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:38 – Updated: 2026-07-10 21:38
    VLAI
    Title
    Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
    Summary
    Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    tilt-dev tilt Affected: >= 0.24.0, < 0.37.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "tilt",
              "vendor": "tilt-dev",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.24.0, \u003c 0.37.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:38:18.081Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/pull/6776",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/pull/6776"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
            }
          ],
          "source": {
            "advisory": "GHSA-6m68-r693-78qx",
            "discovery": "UNKNOWN"
          },
          "title": "Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55883",
        "datePublished": "2026-07-10T21:38:18.081Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-10T21:38:18.081Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55882 (GCVE-0-2026-55882)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:37 – Updated: 2026-07-10 21:37
    VLAI
    Title
    Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
    Summary
    Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4.
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    tilt-dev tilt Affected: >= 0.19.5, < 0.37.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "tilt",
              "vendor": "tilt-dev",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.19.5, \u003c 0.37.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:37:12.245Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/pull/6776",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/pull/6776"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
            }
          ],
          "source": {
            "advisory": "GHSA-p749-9w62-w533",
            "discovery": "UNKNOWN"
          },
          "title": "Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55882",
        "datePublished": "2026-07-10T21:37:12.245Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-10T21:37:12.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55884 (GCVE-0-2026-55884)

    Vulnerability from cvelistv5 – Published: 2026-07-10 21:36 – Updated: 2026-07-10 21:36
    VLAI
    Title
    Tilt: Missing authentication on the network-exposed Tilt HUD server
    Summary
    Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    tilt-dev tilt Affected: >= 0.20.8, < 0.37.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "tilt",
              "vendor": "tilt-dev",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.20.8, \u003c 0.37.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:36:18.861Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/pull/6776",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/pull/6776"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/commit/47393fba7f6ef5e305d5e814551feef8e4acbc0a"
            },
            {
              "name": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
            }
          ],
          "source": {
            "advisory": "GHSA-c73q-8xxr-rgqm",
            "discovery": "UNKNOWN"
          },
          "title": "Tilt: Missing authentication on the network-exposed Tilt HUD server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55884",
        "datePublished": "2026-07-10T21:36:18.861Z",
        "dateReserved": "2026-06-17T16:59:42.759Z",
        "dateUpdated": "2026-07-10T21:36:18.861Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }