CVE-2026-41184: CWE-532 Insertion of sensitive information into log file in Tigera Calico
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
AI Analysis
Technical Summary
In Tigera Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder, the installer replaces it with the live Kubernetes ServiceAccount bearer token before logging. This exposes the token to any authenticated user with pods/log permission in the calico-node namespace. The token provides patch privileges on pods/status, which could be abused for annotation-based attacks against cluster workloads. This vulnerability is a regression of a previously known issue (TTA-2018-001). The default kubeconfig-based authentication path remains unaffected.
Potential Impact
The exposure of the Kubernetes ServiceAccount bearer token in logs allows any authenticated user with pods/log permission in the calico-node namespace to obtain a token with patch privileges on pods/status. This can lead to unauthorized modification of pod annotations, potentially impacting cluster workload integrity. The vulnerability does not affect the default kubeconfig authentication path. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict pods/log permissions in the calico-node namespace to trusted users only to limit token exposure. Avoid using the __SERVICEACCOUNT_TOKEN__ placeholder in configuration templates if possible.
CVE-2026-41184: CWE-532 Insertion of sensitive information into log file in Tigera Calico
Description
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
CVSS v4.0
Score 6.0medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Tigera Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder, the installer replaces it with the live Kubernetes ServiceAccount bearer token before logging. This exposes the token to any authenticated user with pods/log permission in the calico-node namespace. The token provides patch privileges on pods/status, which could be abused for annotation-based attacks against cluster workloads. This vulnerability is a regression of a previously known issue (TTA-2018-001). The default kubeconfig-based authentication path remains unaffected.
Potential Impact
The exposure of the Kubernetes ServiceAccount bearer token in logs allows any authenticated user with pods/log permission in the calico-node namespace to obtain a token with patch privileges on pods/status. This can lead to unauthorized modification of pod annotations, potentially impacting cluster workload integrity. The vulnerability does not affect the default kubeconfig authentication path. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict pods/log permissions in the calico-node namespace to trusted users only to limit token exposure. Avoid using the __SERVICEACCOUNT_TOKEN__ placeholder in configuration templates if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Tigera
- Date Reserved
- 2026-04-17T17:41:35.905Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1871e7e29bf47b501244cb
Added to database: 5/28/2026, 4:48:39 PM
Last enriched: 5/28/2026, 5:05:18 PM
Last updated: 5/29/2026, 5:07:41 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.