CVE-2026-6720: CWE-532 in Tigera Calico
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
AI Analysis
Technical Summary
When calicoctl is run with the --log-level set to info or debug, it outputs the full connection-configuration struct to stderr in a single log line. This struct contains all credentials used by calicoctl to communicate with the cluster, including inline kubeconfig with bearer tokens, Kubernetes API bearer tokens, etcd passwords, and PEM-encoded etcd client certificates and keys. Any entity with access to the stderr stream can extract these credentials without needing Kubernetes privileges. The vulnerability is categorized under CWE-532 (Information Exposure Through Log Files) and has a CVSS 4.0 base score of 7.2 (high severity). There is no vendor advisory or patch information available at this time.
Potential Impact
Exposure of sensitive cluster credentials through verbose logging can lead to unauthorized access to Kubernetes cluster resources and etcd data if an attacker or unauthorized user can access the stderr output. This can compromise cluster confidentiality and integrity. However, exploitation requires that verbose logging be explicitly enabled and that the attacker has access to the stderr stream or logs containing it.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid running calicoctl with --log-level=info or --log-level=debug in environments where stderr output can be accessed by untrusted parties. Restrict access to logs and CI job outputs that may contain calicoctl stderr output. Use the default log level (panic) unless verbose logging is necessary and secure.
CVE-2026-6720: CWE-532 in Tigera Calico
Description
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
CVSS v4.0
Score 7.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
When calicoctl is run with the --log-level set to info or debug, it outputs the full connection-configuration struct to stderr in a single log line. This struct contains all credentials used by calicoctl to communicate with the cluster, including inline kubeconfig with bearer tokens, Kubernetes API bearer tokens, etcd passwords, and PEM-encoded etcd client certificates and keys. Any entity with access to the stderr stream can extract these credentials without needing Kubernetes privileges. The vulnerability is categorized under CWE-532 (Information Exposure Through Log Files) and has a CVSS 4.0 base score of 7.2 (high severity). There is no vendor advisory or patch information available at this time.
Potential Impact
Exposure of sensitive cluster credentials through verbose logging can lead to unauthorized access to Kubernetes cluster resources and etcd data if an attacker or unauthorized user can access the stderr output. This can compromise cluster confidentiality and integrity. However, exploitation requires that verbose logging be explicitly enabled and that the attacker has access to the stderr stream or logs containing it.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid running calicoctl with --log-level=info or --log-level=debug in environments where stderr output can be accessed by untrusted parties. Restrict access to logs and CI job outputs that may contain calicoctl stderr output. Use the default log level (panic) unless verbose logging is necessary and secure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Tigera
- Date Reserved
- 2026-04-20T19:31:31.065Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1871f0e29bf47b5012467a
Added to database: 5/28/2026, 4:48:48 PM
Last enriched: 5/28/2026, 5:03:34 PM
Last updated: 5/29/2026, 10:34:35 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.