Weave GitOps leaked cluster credentials into logs on connection errors
Description
Weave GitOps logs cluster configurations including service account tokens on connection errors, allowing authenticated or external attackers to compromise registered clusters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Weave GitOps logs cluster configurations including service account tokens on connection errors, allowing authenticated or external attackers to compromise registered clusters.
Vulnerability
Description
The vulnerability in Weave GitOps arises from the client factory's error handling logic. When the cluster manager attempts to connect to a registered Kubernetes cluster's API server and encounters a connection error, the client factory dumps the entire cluster configuration (KubeConfig) along with the associated service account tokens into the pod logs in plain text [1][3]. This occurs because the error log statement includes the full cluster list, as seen in the vulnerable code path [4].
Exploitation
Prerequisites
An attacker can exploit this vulnerability in two ways. An authenticated remote attacker can directly access the pod logs of Weave GitOps on the management cluster. Additionally, if the management cluster has external log storage enabled (e.g., centralized logging systems), an unauthorized remote attacker may also retrieve these sensitive configurations from that external storage [1][3]. No special network position beyond access to the logs is required.
Impact
Successful exploitation allows the attacker to obtain the KubeConfig files and service account tokens for all registered Kubernetes clusters. With these credentials, the attacker can manage the registered clusters, potentially gaining full control over the workloads and infrastructure managed by Weave GitOps [1][3].
Mitigation
The vulnerability has been fixed in commit 567356f471353fb5c676c77f5abc2a04631d50ca, which removes the cluster configurations from the error log [4]. Users should upgrade to Weave GitOps core version v0.8.1-rc.6 or newer. There is no known workaround for this vulnerability [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/weaveworks/weave-gitopsGo | < 0.8.1-rc.6 | 0.8.1-rc.6 |
Affected products
2- Range: < 0.8.1-rc.6
Patches
1567356f47135Fix logging on cluster connection error
1 file changed · +1 −1
core/clustersmngr/factory.go+1 −1 modified@@ -131,7 +131,7 @@ func (cf *clientsFactory) watchNamespaces(ctx context.Context) { func (cf *clientsFactory) UpdateNamespaces(ctx context.Context) error { clients, err := clientsForClusters(cf.clusters.Get()) if err != nil { - cf.log.Error(err, "failed to create clients for", "clusters", cf.clusters.Get()) + cf.log.Error(err, "failed to create client") return err }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-xggc-qprg-x6mwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31098ghsaADVISORY
- github.com/weaveworks/weave-gitops/commit/567356f471353fb5c676c77f5abc2a04631d50caghsax_refsource_MISCWEB
- github.com/weaveworks/weave-gitops/security/advisories/GHSA-xggc-qprg-x6mwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.