Description
When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation — once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node  can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.
Published: 2026-05-28
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists when Calico’s CNI binary alters the incoming configuration before passing it to the Azure IPAM plugin. During this mutation the Azure IPAM helper logs the entire configuration map at INFO level to /var/log/calico/cni/cni.log. When token‑based Kubernetes authentication is used, the logged configuration contains the ServiceAccount token, client key, and certificate authority in plain text, thereby exposing these credentials to anyone who can read the node’s log file. An attacker with read access to this log can extract the credentials and obtain cluster‑wide Calico networking administrator rights, enabling manipulation of networking policy, egress/ingress rules, or denial of traffic.

Affected Systems

The flaw impacts Tigera Calico, Calico Cloud, and Calico Enterprise deployments that use the Azure IPAM plugin. Affected versions are not listed, so any installation employing the Azure IPAM helper on these products is potentially vulnerable.

Risk and Exploitability

The CVSS score is 6.0, indicating moderate severity; EPSS is not reported, and it is not included in the CISA KEV catalog. Exploitation requires local file read access to /var/log/calico/cni/cni.log, making the attack vector primarily local or authenticated. While the vulnerability has not been widely leveraged, the ability to gain cluster‑wide administrative privileges from the leaked credentials presents a significant risk for compromise if node‑level read permissions can be obtained.

Generated by OpenCVE AI on May 28, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Calico release that removes logging of the full CNI configuration, as referenced in Tigera security bulletin TTA-2026-002.
  • If a patch cannot be applied immediately, reconfigure or disable the Azure IPAM plugin, or adjust CNI logging settings to suppress sensitive information.
  • Restrict file permissions on /var/log/calico/cni/cni.log so that only privileged users can read the log; consider moving the log to a secured location or applying ACLs to limit exposure.

Generated by OpenCVE AI on May 28, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation — once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node  can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.
Title ServiceAccount token disclosure via Azure IPAM CNI plugin logs
First Time appeared Tigera
Tigera calico
Tigera calico Cloud
Tigera calico Enterprise
Weaknesses CWE-532
CPEs cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*
cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*
cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*
Vendors & Products Tigera
Tigera calico
Tigera calico Cloud
Tigera calico Enterprise
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Tigera Calico Calico Cloud Calico Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: Tigera

Published:

Updated: 2026-05-28T17:03:54.074Z

Reserved: 2026-04-17T17:41:35.905Z

Link: CVE-2026-41185

cve-icon Vulnrichment

Updated: 2026-05-28T17:03:51.092Z

cve-icon NVD

Status : Received

Published: 2026-05-28T17:16:22.670

Modified: 2026-05-28T17:16:22.670

Link: CVE-2026-41185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:30:23Z

Weaknesses