PT-2026-60682 · Go · Github.Com/Kumahq/Kuma+1
CVE-2026-52724
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v4.0
5.8
Medium
| Vector | AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H |
When kuma-dp is started against an HTTPS control plane and the operator did not pass a CA certificate, the data plane connects with TLS peer verification disabled. The dataplane authentication token is sent over this unverified connection
Impact
An on-path attacker can intercept the dataplane authentication token and impersonate the control plane to the data plane, allowing them to inject a forged bootstrap configuration and take over the proxy
Affected configurations
- Universal mode
kuma-dpstarted against an HTTPS control plane without--ca-cert-file(orKUMA CONTROL PLANE CA CERTunset)
Not affected
- Kubernetes installs done through the standard installers (
kumactl install control-planeor the official Helm chart). In both cases the control plane's mutating admission webhook injectsKUMA CONTROL PLANE CA CERTinto every sidecar at pod admission, so eachkuma-dpstarts with the CA already configured
Workarounds
Set
--ca-cert-file (or KUMA CONTROL PLANE CA CERT) on every Universal mode data plane and point it at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configurationResources
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Kumahq/Kuma
Github.Com/Kumahq/Kuma/V2