Description
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
Published: 2026-05-28
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Tigera Calico, the init container that installs the CNI writes the rendered configuration to standard output. When the configuration template contains the token placeholder, the live Kubernetes ServiceAccount bearer token is substituted into that output and logged. This exposes a privileged token to any authenticated user who can read pod logs in the namespace where calico-node runs. The token grants patch permissions on pod status, allowing attackers to modify annotations and potentially disrupt or compromise cluster workloads.

Affected Systems

All released versions of Tigera Calico up to at least version 3.32.0 are affected. The product description does not explicitly state if later releases have addressed the issue, so a patch or upgrade should be verified for each environment.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity. No EPSS score is available, therefore the exact likelihood of exploitation is uncertain. The weakness is classified as CWE‑532: Information Exposure through Log File. The vulnerability is not listed in the CISA KEV catalog and relies on users already having pod log access, which could be a common privilege in many clusters.

Generated by OpenCVE AI on May 28, 2026 at 18:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the hotfixes from pull requests 12502, 12526, and 12527 to the install-cni script to remove the ServiceAccount token from log output.
  • If a newer Calico release incorporating these changes is available, upgrade to that version.
  • Restrict pod log access via RBAC so only administrators can view logs in the calico-node namespace, enforcing least privilege for service accounts and users.

Generated by OpenCVE AI on May 28, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tigera:calico:*:*:*:*:cloud:*:*:*
cpe:2.3:a:tigera:calico:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:tigera:calico:*:*:*:*:open_source:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 28 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
Title ServiceAccount token disclosure via install-cni container logs
First Time appeared Tigera
Tigera calico
Weaknesses CWE-532
CPEs cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*
cpe:2.3:a:tigera:calico:3.32.0:*:*:*:*:*:*:*
Vendors & Products Tigera
Tigera calico
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Tigera Calico
cve-icon MITRE

Status: PUBLISHED

Assigner: Tigera

Published:

Updated: 2026-05-28T17:04:36.059Z

Reserved: 2026-04-17T17:41:35.905Z

Link: CVE-2026-41184

cve-icon Vulnrichment

Updated: 2026-05-28T17:04:33.558Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T17:16:22.270

Modified: 2026-06-05T17:05:19.253

Link: CVE-2026-41184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:00:16Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File