CVE-2026-42283

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions DevSpace versions prior to 6.3.21

Description The UI server WebSocket accepts connections from all origins by default, exposing several endpoints. A malicious website visited by a developer using a browser can establish a cross-origin WebSocket connection to 'ws://127.0.0.1:8090'. This allows unauthorized access to the following endpoints:

'/api/logs' to stream real-time pod logs
'/api/enter' to open an interactive shell inside the running pod
'/api/command' to execute pre-defined pipeline commands

Recommendations Update to version 6.3.21 or later.

Fix

Information Disclosure

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-306

Related Identifiers

CVE-2026-42283

GHSA-HQWM-7X7X-8379

Affected Products

Devspace

CVE-2026-42283

Weakness Enumeration

Related Identifiers

Affected Products

References · 6