ByteOS Network

NVD Vulnerability Details :

CVE-2026-6720

Received

Source-psirt@tigera.io

Published At-28 May, 2026 | 17:16

Updated At-28 May, 2026 | 17:16

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	7.2	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 7.2

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-532	Secondary	psirt@tigera.io

CWE ID: CWE-532

Type: Secondary

Source: psirt@tigera.io

References

Hyperlink	Source	Resource
https://github.com/projectcalico/calico/pull/12535	psirt@tigera.io	N/A
https://github.com/projectcalico/calico/pull/12536	psirt@tigera.io	N/A
https://github.com/projectcalico/calico/pull/12537	psirt@tigera.io	N/A
https://www.tigera.io/security-bulletins/tta-2026-003/	psirt@tigera.io	N/A