CVE-2026-45021

EUVD-2026-32966

28.05.2026, 18:16

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-346 - Origin Validation Error
The software does not properly verify that the source of data or communication is valid.

References

https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907

https://github.com/kumahq/kuma/pull/16416

https://github.com/kumahq/kuma/pull/16423

https://github.com/kumahq/kuma/pull/16424

https://github.com/kumahq/kuma/pull/16425

https://github.com/kumahq/kuma/pull/16426

https://github.com/kumahq/kuma/pull/16427

https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2