CVE-2026-45021

Source
https://cve.org/CVERecord?id=CVE-2026-45021
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45021.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45021
Aliases
Published
2026-05-28T17:45:14.434Z
Modified
2026-07-08T08:18:22.126419033Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Details

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45021.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-346",
        "CWE-942"
    ]
}
References

Affected packages

Git / github.com/kumahq/kuma

Affected ranges

Type
GIT
Repo
https://github.com/kumahq/kuma
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.25"
        },
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "2.9.15"
        },
        {
            "introduced": "2.11.0"
        },
        {
            "fixed": "2.11.13"
        },
        {
            "introduced": "2.12.0"
        },
        {
            "fixed": "2.12.10"
        },
        {
            "introduced": "2.13.0"
        },
        {
            "fixed": "2.13.5"
        }
    ]
}

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.2.0
0.2.0-rc1
0.2.1
0.2.2
0.2.2-rc1
0.2.3-rc4
0.3.0
0.3.0-rc1
0.3.0-rc2
0.3.1
0.3.2
0.3.2-rc2
0.4.0
0.4.0-rc1
0.4.0-rc2
0.5.0
0.5.0-rc1
0.5.0-rc2
0.5.1
0.6.0
0.7.0
0.7.1
Other
080-preview-1
080-preview-2
080-preview-3
1.*
1.0.0-rc1
1.0.0-rc2
1.2.0
1.2.0-rc1
1.4.0-rc1
1.5.0-rc1
2.*
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.12.0
2.12.1
2.12.2
2.12.3
2.7.0
2.7.1
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17
2.7.18
2.7.19
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.9.0
2.9.1
2.9.10
2.9.11
2.9.12
2.9.13
2.9.14
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
v2.*
v2.11.10
v2.11.11
v2.11.12
v2.11.8
v2.11.9
v2.12.4
v2.12.5
v2.12.6
v2.12.7
v2.12.8
v2.12.9
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.9.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45021.json"