Description
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
Published: 2026-05-28
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When the calicoctl command is run with a log level of info or debug, the tool writes its entire connection configuration structure to standard error. This structure contains all credentials the client uses to communicate with the Kubernetes API, etcd, and other cluster components, including bearer tokens and PEM‑encoded certificates. As a result, any process or user that can read the standard error stream—such as CI job logs, session recordings, or local log files—can extract these credentials without needing any Kubernetes privileges.

Affected Systems

The flaw affects Tigera Calico, Calico Cloud, and Calico Enterprise deployments. The issue is present in all exposed versions, including the explicitly cited Calico Enterprise 3.22.3. Clients that run calicoctl under these products and enable verbose logging are impacted.

Risk and Exploitability

The vulnerability scores a CVSS of 7.2, indicating moderate to high severity. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog, suggesting it has not yet been widely exploited. Attacks are local in nature; any entity that can invoke calicoctl with an elevated log level or can access the resulting log output has the ability to obtain cluster credentials. Therefore the risk is significant for environments where standard error output is logged or otherwise exposed.

Generated by OpenCVE AI on May 28, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of Tigera Calico, Calico Cloud, or Calico Enterprise that contains the upstream fix. The project maintainers reference pull requests 12535‑12537 on GitHub which resolve the issue.
  • Configure calicoctl to use a panic or warn log level instead of info or debug, thereby preventing the credential dump when the tool is executed. Set the log level via the --log-level flag or environment variable before use.
  • Ensure that standard error output is not captured in CI logs, support tickets, or local files—redirect stderr to a secure file, discard it after use, or audit existing logs for leaked credentials.

Generated by OpenCVE AI on May 28, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
Title Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
First Time appeared Tigera
Tigera calico
Tigera calico Cloud
Tigera calico Enterprise
Weaknesses CWE-532
CPEs cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*
cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*
cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*
cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*
Vendors & Products Tigera
Tigera calico
Tigera calico Cloud
Tigera calico Enterprise
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Tigera Calico Calico Cloud Calico Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: Tigera

Published:

Updated: 2026-05-28T17:04:11.659Z

Reserved: 2026-04-20T19:31:31.065Z

Link: CVE-2026-6720

cve-icon Vulnrichment

Updated: 2026-05-28T17:04:08.496Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T17:16:33.490

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-6720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:45:25Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File