CVE-2026-45021

MEDIUM

Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Title source: cna
STIX 2.1

Description

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.

References (8)

Core 8
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/kumahq/kuma/pull/16416
X_Refsource_Misc x_refsource_misc
https://github.com/kumahq/kuma/pull/16423
X_Refsource_Misc x_refsource_misc
https://github.com/kumahq/kuma/pull/16424
X_Refsource_Misc x_refsource_misc
https://github.com/kumahq/kuma/pull/16425
X_Refsource_Misc x_refsource_misc
https://github.com/kumahq/kuma/pull/16426
X_Refsource_Misc x_refsource_misc
https://github.com/kumahq/kuma/pull/16427

Scores

CVSS v4 5.1
EPSS 0.0020
EPSS Percentile 10.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-346 CWE-942
Status published
Products (10)
kumahq/kuma 0 - 2.7.25Go
kumahq/kuma 2.11.0 - 2.11.13Go
kumahq/kuma 2.12.0 - 2.12.10Go
kumahq/kuma 2.13.0 - 2.13.5Go
kumahq/kuma 2.9.0 - 2.9.15Go
kumahq/kuma < 2.7.25
kumahq/kuma >= 2.11.0, < 2.11.13
kumahq/kuma >= 2.12.0, < 2.12.10
kumahq/kuma >= 2.13.0, < 2.13.5
kumahq/kuma >= 2.9.0, < 2.9.15
Published May 28, 2026
Tracked Since May 28, 2026