PT-2026-44417 · Tigera · Calicoctl

Anthony Tam

+1

·

Published

2026-05-28

·

Updated

2026-07-07

·

CVE-2026-6720

CVSS v4.0

7.2

High

VectorAV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
Name of the Vulnerable Software and Affected Versions calicoctl (affected versions not specified)
Description When the client is invoked with --log-level=info or --log-level=debug, it prints the full contents of its loaded connection-configuration struct to stderr in a single log line. This struct contains sensitive credentials used to communicate with the cluster, including the inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. This allows any reader of the stderr stream, such as CI job logs or session-recording archives, to extract these credentials without requiring Kubernetes privileges. This issue only occurs when verbose logging is explicitly enabled, as the default log level is panic.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6720
GHSA-3M4Q-GGCJ-J6M4
GO-2026-5893

Affected Products

Calicoctl