CVE-2026-45021
CWE-346Published: May 28, 2026· Updated: May 28, 2026
Official Description
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
Technical Analysis
CVE-2026-45021 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (A) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (8)
Quick Facts
Related CVEs (CWE-346)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-45021 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts