CVE-2026-45021: CWE-346: Origin Validation Error in kumahq kuma
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
AI Analysis
Technical Summary
Kuma, an Envoy-based service mesh, had a security flaw in its default control plane configuration before versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. The vulnerability arises from overly permissive CORS settings (CorsAllowedDomains set to [".*"]) and the setting LocalhostIsAdmin set to true, which together allow any webpage visited by the operator to perform a cross-origin fetch request and obtain the admin bootstrap token and signing keys. This exposure of sensitive credentials can compromise the control plane's security. The vulnerability is classified under CWE-346 and CWE-942. The issue has been addressed in the listed patched versions.
Potential Impact
An attacker who can lure an operator to visit a malicious webpage while the control plane is accessible from the operator's browser can obtain the admin JWT and signing keys. This could lead to unauthorized administrative access to the Kuma control plane, potentially allowing control over the service mesh configuration. The CVSS 4.0 score is 5.1 (medium severity), reflecting network attack vector, low complexity, no privileges required, but user interaction needed and low impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade Kuma to one of the fixed versions: 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5. These versions contain the official fix for this vulnerability. Until upgraded, restrict access to the control plane from browsers and avoid visiting untrusted webpages while the control plane is reachable. Patch status is confirmed by the vendor's versioning information in the advisory.
CVE-2026-45021: CWE-346: Origin Validation Error in kumahq kuma
Description
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
CVSS v4.0
Score 5.1medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kuma, an Envoy-based service mesh, had a security flaw in its default control plane configuration before versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. The vulnerability arises from overly permissive CORS settings (CorsAllowedDomains set to [".*"]) and the setting LocalhostIsAdmin set to true, which together allow any webpage visited by the operator to perform a cross-origin fetch request and obtain the admin bootstrap token and signing keys. This exposure of sensitive credentials can compromise the control plane's security. The vulnerability is classified under CWE-346 and CWE-942. The issue has been addressed in the listed patched versions.
Potential Impact
An attacker who can lure an operator to visit a malicious webpage while the control plane is accessible from the operator's browser can obtain the admin JWT and signing keys. This could lead to unauthorized administrative access to the Kuma control plane, potentially allowing control over the service mesh configuration. The CVSS 4.0 score is 5.1 (medium severity), reflecting network attack vector, low complexity, no privileges required, but user interaction needed and low impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade Kuma to one of the fixed versions: 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5. These versions contain the official fix for this vulnerability. Until upgraded, restrict access to the control plane from browsers and avoid visiting untrusted webpages while the control plane is reachable. Patch status is confirmed by the vendor's versioning information in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T16:58:28.896Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a188377e29bf47b50179026
Added to database: 5/28/2026, 6:03:35 PM
Last enriched: 5/28/2026, 6:19:20 PM
Last updated: 5/29/2026, 5:19:53 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.