CVE-2026-45021
Description
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kumahq/kumaGo | < 2.7.25 | 2.7.25 |
github.com/kumahq/kumaGo | >= 2.9.0, < 2.9.15 | 2.9.15 |
github.com/kumahq/kumaGo | >= 2.11.0, < 2.11.13 | 2.11.13 |
github.com/kumahq/kumaGo | >= 2.12.0, < 2.12.10 | 2.12.10 |
github.com/kumahq/kumaGo | >= 2.13.0, < 2.13.5 | 2.13.5 |
Affected products
2Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-3vcp-chfh-f6r2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45021ghsaADVISORY
- github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907nvdWEB
- github.com/kumahq/kuma/pull/16416nvdWEB
- github.com/kumahq/kuma/pull/16423nvdWEB
- github.com/kumahq/kuma/pull/16424nvdWEB
- github.com/kumahq/kuma/pull/16425nvdWEB
- github.com/kumahq/kuma/pull/16426nvdWEB
- github.com/kumahq/kuma/pull/16427nvdWEB
- github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2nvdWEB
News mentions
0No linked articles in our index yet.