Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-6720

Summary
Assigner-Tigera
Assigner Org ID-e6d453f4-3dae-4941-bcea-9af25f4e824d
Published At-28 May, 2026 | 15:47
Updated At-28 May, 2026 | 17:04
Rejected At-
Credits

Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Tigera
Assigner Org ID:e6d453f4-3dae-4941-bcea-9af25f4e824d
Published At:28 May, 2026 | 15:47
Updated At:28 May, 2026 | 17:04
Rejected At:
▼CVE Numbering Authority (CNA)
Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

Affected Products
Vendor
Tigera
Product
Calico
Default Status
affected
Versions
Affected
  • From 0 before 3.32.0 (semver)
Vendor
Tigera
Product
Calico Enterprise
Default Status
affected
Versions
Affected
  • From 0 before 3.21.7 (semver)
Unaffected
  • 3.22.3 (semver)
Vendor
Tigera
Product
Calico Cloud
Default Status
affected
Versions
Affected
  • From 0 before 22.4.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-532CWE-532
Type: CWE
CWE ID: CWE-532
Description: CWE-532
Metrics
VersionBase scoreBase severityVector
4.07.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
Version: 4.0
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-150CAPEC-150 Collect Data from Common Resource Locations
CAPEC ID: CAPEC-150
Description: CAPEC-150 Collect Data from Common Resource Locations
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Behnam Shobiri
remediation developer
Behnam Shobiri
remediation verifier
Anthony Tam
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/projectcalico/calico/pull/12535
patch
https://github.com/projectcalico/calico/pull/12536
patch
https://github.com/projectcalico/calico/pull/12537
patch
https://www.tigera.io/security-bulletins/tta-2026-003/
vendor-advisory
Hyperlink: https://github.com/projectcalico/calico/pull/12535
Resource:
patch
Hyperlink: https://github.com/projectcalico/calico/pull/12536
Resource:
patch
Hyperlink: https://github.com/projectcalico/calico/pull/12537
Resource:
patch
Hyperlink: https://www.tigera.io/security-bulletins/tta-2026-003/
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@tigera.io
Published At:28 May, 2026 | 17:16
Updated At:28 May, 2026 | 17:16

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-532Secondarypsirt@tigera.io
CWE ID: CWE-532
Type: Secondary
Source: psirt@tigera.io
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/projectcalico/calico/pull/12535psirt@tigera.io
N/A
https://github.com/projectcalico/calico/pull/12536psirt@tigera.io
N/A
https://github.com/projectcalico/calico/pull/12537psirt@tigera.io
N/A
https://www.tigera.io/security-bulletins/tta-2026-003/psirt@tigera.io
N/A
Hyperlink: https://github.com/projectcalico/calico/pull/12535
Source: psirt@tigera.io
Resource: N/A
Hyperlink: https://github.com/projectcalico/calico/pull/12536
Source: psirt@tigera.io
Resource: N/A
Hyperlink: https://github.com/projectcalico/calico/pull/12537
Source: psirt@tigera.io
Resource: N/A
Hyperlink: https://www.tigera.io/security-bulletins/tta-2026-003/
Source: psirt@tigera.io
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2026-41185
Matching Score-6
Assigner-Tigera, Inc.
ShareView Details
Matching Score-6
Assigner-Tigera, Inc.
CVSS Score-6||MEDIUM
EPSS-0.03% / 10.00%
||
7 Day CHG-0.01%
Published-28 May, 2026 | 15:47
Updated-05 Jun, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ServiceAccount token disclosure via Azure IPAM CNI plugin logs

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation — once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node  can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.

Action-Not Available
Vendor-tigeraTigera
Product-calicoCalicoCalico EnterpriseCalico Cloud
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-41184
Matching Score-6
Assigner-Tigera, Inc.
ShareView Details
Matching Score-6
Assigner-Tigera, Inc.
CVSS Score-6||MEDIUM
EPSS-0.05% / 16.95%
||
7 Day CHG-0.03%
Published-28 May, 2026 | 15:47
Updated-05 Jun, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ServiceAccount token disclosure via install-cni container logs

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.

Action-Not Available
Vendor-tigeraTigera
Product-calicoCalico
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
Details not found