GHSA-3VCP-CHFH-F6R2

Vulnerability from github – Published: 2026-05-14 20:15 – Updated: 2026-05-14 20:15
VLAI
Summary
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Details

Summary

Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material.

Am I affected?

You are affected if all of these hold:

  1. kuma-cp runs with default config (CorsAllowedDomains: [".*"] and LocalhostIsAdmin: true).
  2. The control plane is reachable from a browser on the same machine:
  3. kuma-cp run on a developer laptop
  4. Docker --network host or port-publish on a workstation
  5. kubectl port-forward from a machine that also browses the web
  6. The operator visits a page running attacker JavaScript while the control plane is reachable.

You are not affected if:

  • The control plane runs on a Kubernetes cluster accessed via ClusterIP, NodePort, or LoadBalancer from a remote client.
  • The control plane runs on an SSH-administered VM with no browser on the host.
  • KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false is set (see https://kuma.io/docs/latest/production/secure-deployment/api-server-auth/).
  • KUMA_API_SERVER_CORS_ALLOWED_DOMAINS is set to an explicit allowlist that excludes attacker origins.

Mitigation

  1. Set KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false after retrieving the admin token.
  2. Set KUMA_API_SERVER_CORS_ALLOWED_DOMAINS to an explicit allowlist, for example http://localhost:5681,http://127.0.0.1:5681.
  3. Do not run kuma-cp on a machine where you browse untrusted sites.

Fix

Fixed in #16416, backported to all supported release branches (#16423, #16424, #16425, #16426, #16427).

Changes in patched versions:

  • CorsAllowedDomains default changed from [".*"] to [] — CORS is now opt-in; set the env var explicitly if you need GUI access.
  • LocalhostIsAdmin hardened: now requires direct loopback RemoteAddr and Host, and rejects requests carrying proxy-hop headers (X-Forwarded-For), cross-site fetch metadata (Sec-Fetch-Site), or a non-localhost Origin.

Upgrade to a patched version:

  • 2.7.25
  • 2.9.15
  • 2.11.13
  • 2.12.10
  • 2.13.5

Credits

Reported by eldudareeno.

CVSS

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N = 5.1 Medium.

Severity
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kumahq/kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kumahq/kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kumahq/kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kumahq/kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0"
            },
            {
              "fixed": "2.12.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kumahq/kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.13.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-942"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:15:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nDefault `kuma-cp` config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. `CorsAllowedDomains: [\".*\"]` reflects any `Origin`, and `LocalhostIsAdmin: true` promotes requests from `127.0.0.1` to `mesh-system:admin`. A cross-origin `fetch()` from a malicious page returns the admin JWT and signing material.\n\n## Am I affected?\n\nYou are affected if all of these hold:\n\n1. `kuma-cp` runs with default config (`CorsAllowedDomains: [\".*\"]` and `LocalhostIsAdmin: true`).\n2. The control plane is reachable from a browser on the same machine:\n   - `kuma-cp run` on a developer laptop\n   - Docker `--network host` or port-publish on a workstation\n   - `kubectl port-forward` from a machine that also browses the web\n3. The operator visits a page running attacker JavaScript while the control plane is reachable.\n\nYou are not affected if:\n\n- The control plane runs on a Kubernetes cluster accessed via ClusterIP, NodePort, or LoadBalancer from a remote client.\n- The control plane runs on an SSH-administered VM with no browser on the host.\n- `KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false` is set (see https://kuma.io/docs/latest/production/secure-deployment/api-server-auth/).\n- `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` is set to an explicit allowlist that excludes attacker origins.\n\n## Mitigation\n\n1. Set `KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false` after retrieving the admin token.\n2. Set `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to an explicit allowlist, for example `http://localhost:5681,http://127.0.0.1:5681`.\n3. Do not run `kuma-cp` on a machine where you browse untrusted sites.\n\n## Fix\n\nFixed in [#16416](https://github.com/kumahq/kuma/pull/16416), backported to all supported release branches ([#16423](https://github.com/kumahq/kuma/pull/16423), [#16424](https://github.com/kumahq/kuma/pull/16424), [#16425](https://github.com/kumahq/kuma/pull/16425), [#16426](https://github.com/kumahq/kuma/pull/16426), [#16427](https://github.com/kumahq/kuma/pull/16427)).\n\nChanges in patched versions:\n\n- `CorsAllowedDomains` default changed from `[\".*\"]` to `[]` \u2014 CORS is now opt-in; set the env var explicitly if you need GUI access.\n- `LocalhostIsAdmin` hardened: now requires direct loopback `RemoteAddr` and `Host`, and rejects requests carrying proxy-hop headers (`X-Forwarded-For`), cross-site fetch metadata (`Sec-Fetch-Site`), or a non-localhost `Origin`.\n\nUpgrade to a patched version:\n\n- 2.7.25\n- 2.9.15\n- 2.11.13\n- 2.12.10\n- 2.13.5\n\n## Credits\n\nReported by `eldudareeno`.\n\n## CVSS\n\n`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` = 5.1 Medium.",
  "id": "GHSA-3vcp-chfh-f6r2",
  "modified": "2026-05-14T20:15:08Z",
  "published": "2026-05-14T20:15:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/pull/16416"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/pull/16423"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/pull/16424"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/pull/16425"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/pull/16426"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/pull/16427"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kumahq/kuma"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.