CVE-2026-45021 PUBLISHED

Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Assigner: GitHub_M
Reserved: 08.05.2026 Published: 28.05.2026 Updated: 28.05.2026

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	kumahq
Product	kuma
Versions	Version < 2.7.25 is affected Version >= 2.9.0, < 2.9.15 is affected Version >= 2.11.0, < 2.11.13 is affected Version >= 2.12.0, < 2.12.10 is affected Version >= 2.13.0, < 2.13.5 is affected

References

Problem Types

CWE-346: Origin Validation Error CWE
CWE-942: Permissive Cross-domain Policy with Untrusted Domains CWE