PT-2026-44417 · Tigera · Calicoctl
Anthony Tam
+1
·
Published
2026-05-28
·
Updated
2026-07-07
·
CVE-2026-6720
CVSS v4.0
7.2
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
calicoctl (affected versions not specified)
Description
When the client is invoked with
--log-level=info or --log-level=debug, it prints the full contents of its loaded connection-configuration struct to stderr in a single log line. This struct contains sensitive credentials used to communicate with the cluster, including the inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. This allows any reader of the stderr stream, such as CI job logs or session-recording archives, to extract these credentials without requiring Kubernetes privileges. This issue only occurs when verbose logging is explicitly enabled, as the default log level is panic.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Calicoctl