When Tigera Calico is used with the Azure IPAM plugin, the Calico CNI binary mutates the CNI configuration to add subnet information and then the Azure IPAM helper logs the entire unmarshaled configuration map at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation. This log entry includes sensitive information such as the Kubernetes ServiceAccount token, client key, and certificate authority in plaintext if the cluster uses token-based Kubernetes authentication. This exposure allows any principal with read access to the log file on a node to obtain credentials that grant cluster-wide Calico networking administrative privileges. The vulnerability is tracked as CVE-2026-41185 with a CVSS 4.0 score of 6.0 (medium severity). The affected product is Tigera Calico, a cloud service, and a patch is available though no direct patch link is provided.

The vulnerability allows disclosure of sensitive Kubernetes authentication credentials through plaintext logging. An attacker or unauthorized user with read access to the Calico CNI log file on a node can extract ServiceAccount tokens and client keys, enabling them to gain cluster-wide administrative privileges over Calico networking. This can lead to unauthorized network configuration changes and potential disruption or compromise of cluster networking. There are no known exploits in the wild currently.

A patch is available for this vulnerability. Since Tigera Calico is a cloud service, the vendor typically manages remediation server-side. Users should verify with Tigera's official advisory and update to the patched version as soon as possible to prevent credential leakage via logs. Until patched, restrict access to the /var/log/calico/cni/cni.log file to trusted administrators only to minimize exposure.