CVE-2026-41185— ServiceAccount token disclosure via Azure IPAM CNI plugin logs
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Tigera | Calico | < 3.32.0 | affected |
| Tigera | Calico Cloud | < 22.4.0 | affected |
| Tigera | Calico Enterprise | < 3.21.7 | affected |
3.22.0< 3.22.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41185
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ServiceAccount token disclosure via Azure IPAM CNI plugin logs
Source: NVD (National Vulnerability Database)
Vulnerability Description
When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation — once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过日志文件的信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Tigera | Calico | 0 ~ 3.32.0 | - | |
| Tigera | Calico Enterprise | 0 ~ 3.21.7 | - | |
| Tigera | Calico Cloud | 0 ~ 22.4.0 | - |
II. Public POCs for CVE-2026-41185
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41185
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-41185 (3)
Vendor Advisories for CVE-2026-41185 (1)
- 🔗 Page not found | Tigera – Creator of Calicovendor-advisory
Same Patch Batch · Tigera · 2026-05-28 · 3 CVEs total
| CVE-2026-41184 | ServiceAccount token disclosure via install-cni container logs | |
| CVE-2026-6720 | Calicoctl leaks cluster credentials to stderr when verbose logging is enabled |
IV. Related Vulnerabilities
Same product: Calico
Same vendor: Tigera
Same weakness: CWE-532
- CVE-2026-49200
Acer Wave 7 router: Broken Access Control - CVE-2026-6720
Calicoctl leaks cluster credentials to stderr when verbose l - CVE-2026-41184
ServiceAccount token disclosure via install-cni container lo - CVE-2026-32996
Veeam Agent for Windows 本地权限提升漏洞 - CVE-2026-2607
Multiple vulnerabilities in IBM MQ Operator and Queue manage
V. Comments for CVE-2026-41185
No comments yet