Kubetail, a real‑time logging dashboard, contained a Cross‑Site WebSocket Hijacking flaw that allowed an attacker to read live Kubernetes logs from a user who was already authenticated to the dashboard. The weakness stemmed from insufficient validation of the Origin header on WebSocket upgrades, enabling a malicious web page to open a WebSocket connection to the dashboard and receive log data. The primary impact is a confidentiality breach; attackers could harvest sensitive information from the logs, potentially exposing application states, credentials, or other valuable operational data. This vulnerability is classified as CWE‑1385, indicating broken confidentiality via improper web socket handling.

The affected product is kubetail provided by kubetail‑org, comprising the cli, dashboard, and core components. Any deployment using versions prior to 0.14.0 is vulnerable, including the default desktop instance running on http://localhost:7500 and cluster deployments exposed behind an Ingress with HTTP basic authentication. Users of earlier releases should verify their version and apply the fix before proceeding.

The CVSS score of 6.5 denotes a moderate severity risk. The EPSS score is not publicly available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of active exploitation in the wild. Based on the description, likely attack vectors involve a user mistakenly visiting a malicious webpage while maintaining an active Kubetail session, after which the attacker can hijack the WebSocket connection and stream logs in real time. Because the attack requires only a valid session and cross‑site script execution, the exploitation likelihood is reasonable for social engineering or phishing campaigns targeting administrators.