GHSA-V95X-XHQ5-4929
Vulnerability from github – Published: 2026-07-16 19:12 – Updated: 2026-07-16 19:12
VLAI
Summary
kumactl connects to control plane without verifying TLS certificate when no CA is configured
Details
When an operator adds an HTTPS control plane profile to kumactl without providing a CA certificate, kumactl disables TLS verification and sends API tokens over the unverified connection
Impact
An attacker on the network path between the operator and the control plane can intercept user or admin API tokens and then act against the control plane as that user
Affected configurations
kumactlprofiles manually added against an HTTPS control plane endpoint without--ca-cert-file
Not affected
- The default local profile, which uses plain HTTP
Workarounds
When adding an HTTPS control plane profile to kumactl, always pass --ca-cert-file pointing at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration
Resources
- Fix: https://github.com/kumahq/kuma/pull/16777
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.26"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.9.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.11.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0"
},
{
"fixed": "2.12.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.13.0"
},
{
"fixed": "2.13.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50166"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T19:12:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "When an operator adds an HTTPS control plane profile to `kumactl` without providing a CA certificate, `kumactl` disables TLS verification and sends API tokens over the unverified connection\n\n## Impact\n\nAn attacker on the network path between the operator and the control plane can intercept user or admin API tokens and then act against the control plane as that user\n\n## Affected configurations\n\n- `kumactl` profiles manually added against an HTTPS control plane endpoint without `--ca-cert-file`\n\n## Not affected\n\n- The default local profile, which uses plain HTTP\n\n## Workarounds\n\nWhen adding an HTTPS control plane profile to `kumactl`, always pass `--ca-cert-file` pointing at the control plane\u0027s serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration\n\n## Resources\n\n- Fix: https://github.com/kumahq/kuma/pull/16777",
"id": "GHSA-v95x-xhq5-4929",
"modified": "2026-07-16T19:12:08Z",
"published": "2026-07-16T19:12:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/security/advisories/GHSA-v95x-xhq5-4929"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/pull/16777"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/commit/2ecadac1aa2fd8cded4c2ab768949f4c2ec83e2a"
},
{
"type": "PACKAGE",
"url": "https://github.com/kumahq/kuma"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "kumactl connects to control plane without verifying TLS certificate when no CA is configured"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…