VIR Vulnerability Intelligence Relay

CVE-2026-45021

medium
Published 2026-05-14 ยท Modified 2026-05-28
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
VIR risk
5.5

Description

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Package impact
EcosystemPackageVulnerableFixed
golang Gogithub.com/kumahq/kuma<2.7.252.7.25
golang Gogithub.com/kumahq/kuma>=2.9.0,<2.9.152.9.15
golang Gogithub.com/kumahq/kuma>=2.11.0,<2.11.132.11.13
golang Gogithub.com/kumahq/kuma>=2.12.0,<2.12.102.12.10
golang Gogithub.com/kumahq/kuma>=2.13.0,<2.13.52.13.5
golang GOgithub.com/kumahq/kuma>= 2.13.0, < 2.13.52.13.5
golang GOgithub.com/kumahq/kuma>= 2.12.0, < 2.12.102.12.10
golang GOgithub.com/kumahq/kuma>= 2.11.0, < 2.11.132.11.13
golang GOgithub.com/kumahq/kuma>= 2.9.0, < 2.9.152.9.15
golang GOgithub.com/kumahq/kuma< 2.7.252.7.25

References

CWEs

CWE-346 CWE-942

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.