CVE-2026-55882

Source
https://cve.org/CVERecord?id=CVE-2026-55882
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55882.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55882
Aliases
Published
2026-07-10T21:37:12.245Z
Modified
2026-07-16T03:31:12.623561710Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
Details

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55882.json"
}
References

Affected packages

Git / github.com/tilt-dev/tilt

Affected ranges

Type
GIT
Repo
https://github.com/tilt-dev/tilt
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.19.5"
        },
        {
            "fixed": "0.37.4"
        }
    ]
}

Affected versions

v0.*
v0.19.5
v0.19.6
v0.19.7
v0.20.0
v0.20.2
v0.20.3
v0.20.4
v0.20.5
v0.20.6
v0.20.7
v0.20.8
v0.20.9
v0.21.0
v0.21.1
v0.21.3
v0.22.0
v0.22.1
v0.22.10
v0.22.11
v0.22.12
v0.22.13
v0.22.14
v0.22.15
v0.22.2
v0.22.3
v0.22.4
v0.22.5
v0.22.6
v0.22.7
v0.22.8
v0.22.9
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.23.6
v0.23.7
v0.23.8
v0.23.9
v0.24.0
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.26.0
v0.26.1
v0.26.2
v0.26.3
v0.27.0
v0.27.1
v0.27.2
v0.27.3
v0.28.0
v0.28.1
v0.29.0
v0.30.0
v0.30.1
v0.30.10
v0.30.11
v0.30.12
v0.30.13
v0.30.2
v0.30.3
v0.30.4
v0.30.5
v0.30.6
v0.30.7
v0.30.8
v0.30.9
v0.31.0
v0.31.1
v0.31.2
v0.32.0
v0.32.1
v0.32.2
v0.32.3
v0.32.4
v0.33.0
v0.33.1
v0.33.10
v0.33.11
v0.33.12
v0.33.13
v0.33.14
v0.33.15
v0.33.16
v0.33.17
v0.33.18
v0.33.19
v0.33.2
v0.33.20
v0.33.21
v0.33.22
v0.33.3
v0.33.4
v0.33.5
v0.33.6
v0.33.7
v0.33.8
v0.33.9
v0.34.0
v0.34.1
v0.34.2
v0.34.3
v0.34.4
v0.34.5
v0.35.0
v0.35.1
v0.35.2
v0.36.0
v0.36.1
v0.36.2
v0.36.3
v0.37.0
v0.37.1
v0.37.2
v0.37.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55882.json"