CVE-2026-25538

Name of the Vulnerable Software and Affected Versions Devtron versions prior to 2.0.0

Description Devtron is a tool integration platform for Kubernetes. A flaw exists in the Attributes API interface that allows authenticated users to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. Obtaining this key enables attackers to forge JWT tokens for arbitrary user identities offline, potentially granting complete control over the Devtron platform and allowing lateral movement to the underlying Kubernetes cluster. The issue was addressed with commit d2b0d26.

Recommendations Update to a version later than 2.0.0.