Morey

**Name of the Vulnerable Software and Affected Versions** Kubetail Dashboard versions prior to 0.14.0 Kubetail Helm Chart versions prior to 0.23.0 Kubetail CLI versions prior to 0.16.0 **Description** Kubetail's dashboard exposes WebSocket endpoints that do not adequately validate the Origin header during the connection upgrade process. This leads to Cross-Site WebSocket Hijacking (CSWSH), a vulnerability where a malicious website visited by an authenticated user can establish a WebSocket connection to the user's dashboard. This allows an attacker to stream and exfiltrate Kubernetes container logs in real time. The issue affects both desktop deployments and cluster deployments using HTTP basic auth, as browsers automatically attach ambient credentials to the WebSocket handshake. While the access is read-only, logs may contain sensitive data such as credentials, bearer tokens, internal hostnames, and personally identifiable information (PII). **Recommendations** Update Kubetail Dashboard to version 0.14.0 or later. Update Kubetail Helm Chart to version 0.23.0 or later. Update Kubetail CLI to version 0.16.0 or later. For desktop users, stop the dashboard process when not in use and avoid visiting untrusted sites in the same browser profile while it is running. For cluster deployments, restrict Ingress access to a VPN, bastion, or office network, or implement a stronger authentication layer such as an OAuth proxy.