CVE-2025-64323
Description
kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
kgateway xDS port lacks authentication, exposing sensitive configuration data to any network-accessible client; fixed in versions 2.0.5 and 2.1.0.
Vulnerability
The xDS endpoint in kgateway versions 2.0.4 and below, as well as versions 2.1.0-agw-cel-rbac through 2.1.0-rc.2, does not require authentication. This allows any client with network access to the xDS port to retrieve sensitive configuration data, including certificate data, backend service information, routing rules, and cluster metadata [1][2].
Exploitation
An attacker only needs unrestricted network access to the xDS port; no authentication or special privileges are required. The xDS protocol is used for dynamic configuration, so an attacker can query the control plane for configuration details [2].
Impact
Exposure of sensitive configuration data could enable further attacks, such as service disruption or data exfiltration. The vulnerability has a CVSS v3 base score of 5.3 (Medium) [2].
Mitigation
The issue is fixed in kgateway versions 2.0.5 and 2.1.0 by enabling JWT-based authentication for xDS by default [1]. Users should upgrade to these versions or later. As a workaround, network access to the xDS port can be restricted [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kgateway-dev/kgateway/v2Go | >= 2.1.0-agw-cel-rbac, < 2.1.0 | 2.1.0 |
github.com/kgateway-dev/kgateway/v2Go | < 2.0.5 | 2.0.5 |
Affected products
20.5.0, 0.5.1, 1.3.10, …+ 1 more
- (no CPE)range: 0.5.0, 0.5.1, 1.3.10, …
- (no CPE)range: <=2.0.4, >=2.1.0-agw-cel-rbac <=2.1.0-rc.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-4766-x535-jw3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64323ghsaADVISORY
- github.com/kgateway-dev/kgateway/issues/10651nvdWEB
- github.com/kgateway-dev/kgateway/pull/12471nvdWEB
- github.com/kgateway-dev/kgateway/pull/12535nvdWEB
- github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3rnvdWEB
News mentions
0No linked articles in our index yet.