CVE-2026-45021

Name of the Vulnerable Software and Affected Versions Kuma versions prior to 2.7.25 Kuma versions prior to 2.9.15 Kuma versions prior to 2.11.13 Kuma versions prior to 2.12.10 Kuma versions prior to 2.13.5

Description The default kuma-cp configuration leaks the admin bootstrap token and signing keys to any webpage an operator visits while the control plane is reachable from their browser. This occurs because CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page can return the admin JWT and signing material.

Recommendations Update to version 2.7.25. Update to version 2.9.15. Update to version 2.11.13. Update to version 2.12.10. Update to version 2.13.5. Set KUMA API SERVER AUTHN LOCALHOST IS ADMIN=false after retrieving the admin token. Set KUMA API SERVER CORS ALLOWED DOMAINS to an explicit allowlist, such as http://localhost:5681,http://127.0.0.1:5681. Avoid running kuma-cp on a machine used to browse untrusted websites.