PT-2026-38411 · Unknown · Kubetail Dashboard+2
Morey
·
Published
2026-05-07
·
Updated
2026-06-25
·
CVE-2026-44514
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Kubetail Dashboard versions prior to 0.14.0
Kubetail Helm Chart versions prior to 0.23.0
Kubetail CLI versions prior to 0.16.0
Description
Kubetail's dashboard exposes WebSocket endpoints that do not adequately validate the Origin header during the connection upgrade process. This leads to Cross-Site WebSocket Hijacking (CSWSH), a vulnerability where a malicious website visited by an authenticated user can establish a WebSocket connection to the user's dashboard. This allows an attacker to stream and exfiltrate Kubernetes container logs in real time. The issue affects both desktop deployments and cluster deployments using HTTP basic auth, as browsers automatically attach ambient credentials to the WebSocket handshake. While the access is read-only, logs may contain sensitive data such as credentials, bearer tokens, internal hostnames, and personally identifiable information (PII).
Recommendations
Update Kubetail Dashboard to version 0.14.0 or later.
Update Kubetail Helm Chart to version 0.23.0 or later.
Update Kubetail CLI to version 0.16.0 or later.
For desktop users, stop the dashboard process when not in use and avoid visiting untrusted sites in the same browser profile while it is running.
For cluster deployments, restrict Ingress access to a VPN, bastion, or office network, or implement a stronger authentication layer such as an OAuth proxy.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kubetail Cli
Kubetail Dashboard
Kubetail Helm Chart