CVE-2025-62714

Name of the Vulnerable Software and Affected Versions Karmada Dashboard versions prior to 0.2.0

Description The Karmada Dashboard, a web-based control panel for the Karmada multi-cluster management project, contains an authentication bypass. Backend API endpoints, such as /api/v1/secret and /api/v1/service, do not enforce authentication. This allows unauthenticated users to access sensitive cluster information, including Secrets and Services, directly. While the web user interface requires a valid JWT for access, the API remains exposed to direct requests without authentication checks. Any user or entity with network access to the Karmada Dashboard service could potentially retrieve sensitive data through these exposed API endpoints. The vulnerable parameters are not explicitly mentioned.

Recommendations Versions prior to 0.2.0 should be updated to version 0.2.0 or later.