Description
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
Published: 2026-05-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from default Kuma control-plane configuration that permits any HTTP origin to request the admin bootstrap token and signing keys. By using a wildcard CORS policy and enabling LocalhostIsAdmin, an attacker who gains access to the same network or can embed a malicious page that can reach the control plane can perform a cross‑origin fetch to retrieve these credentials. The leaked JWT and signing materials allow an attacker to authenticate as the mesh‑system admin and potentially compromise the entire service mesh, creating a full system takeover. The weakness is a type of improper authentication and trust boundary bypass, classified as CWE-346 and CWE-942.

Affected Systems

Affected versions of Kuma include 2.7.24 and older, 2.9.14 and older, 2.11.12 and older, 2.12.9 and older, and 2.13.4 and older. These are versions that still ship with the default CorsAllowedDomains set to ".*" and LocalhostIsAdmin enabled.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk, but the exploitation requires only a browser with network access to the control plane. Attackers can trigger the vulnerability by loading a crafted page that issues a fetch request to the admin API. The EPSS score is not available, so exact likelihood is unknown, but the vulnerability is not listed in the CISA KEV catalog, which may indicate lower known exploitation focus at this time. Nevertheless, because the exposed credentials grant administrative access, the potential impact is severe once the token is obtained.

Generated by OpenCVE AI on May 28, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kuma releases 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5 or later to remove the vulnerable CORS and Localhost settings.
  • If upgrading is not immediately possible, reconfigure the control plane to restrict CorsAllowedDomains to trusted origins and disable LocalhostIsAdmin by setting it to false.
  • Monitor access logs for anomalous requests to the admin endpoints and verify that no unauthorized entities have obtained the bootstrap token.

Generated by OpenCVE AI on May 28, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vcp-chfh-f6r2 Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
History

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kumahq
Kumahq kuma
Vendors & Products Kumahq
Kumahq kuma

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
Title Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Weaknesses CWE-346
CWE-942
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kumahq Kuma
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:30:33.327Z

Reserved: 2026-05-08T16:58:28.896Z

Link: CVE-2026-45021

cve-icon Vulnrichment

Updated: 2026-05-28T19:30:23.444Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T18:16:34.167

Modified: 2026-05-28T18:56:36.823

Link: CVE-2026-45021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-942

    Permissive Cross-domain Security Policy with Untrusted Domains