CVE-2026-6720— Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
Possible ATT&CK Techniques 1AI
T1005 · Data from Local SystemAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Tigera | Calico | < 3.32.0 | affected |
| Tigera | Calico Cloud | < 22.4.0 | affected |
| Tigera | Calico Enterprise | < 3.21.7 | affected |
3.22.3 | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6720
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
Source: NVD (National Vulnerability Database)
Vulnerability Description
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过日志文件的信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Tigera | Calico | 0 ~ 3.32.0 | - | |
| Tigera | Calico Enterprise | 0 ~ 3.21.7 | - | |
| Tigera | Calico Cloud | 0 ~ 22.4.0 | - |
II. Public POCs for CVE-2026-6720
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6720
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-6720 (3)
Vendor Advisories for CVE-2026-6720 (1)
- 🔗 Page not found | Tigera – Creator of Calicovendor-advisory
Same Patch Batch · Tigera · 2026-05-28 · 3 CVEs total
| CVE-2026-41185 | ServiceAccount token disclosure via Azure IPAM CNI plugin logs | |
| CVE-2026-41184 | ServiceAccount token disclosure via install-cni container logs |
IV. Related Vulnerabilities
Same product: Calico
Same vendor: Tigera
Same weakness: CWE-532
- CVE-2026-49200
Acer Wave 7 router: Broken Access Control - CVE-2026-41185
ServiceAccount token disclosure via Azure IPAM CNI plugin lo - CVE-2026-41184
ServiceAccount token disclosure via install-cni container lo - CVE-2026-32996
Veeam Agent for Windows 本地权限提升漏洞 - CVE-2026-2607
Multiple vulnerabilities in IBM MQ Operator and Queue manage
V. Comments for CVE-2026-6720
No comments yet