CVE-2026-6720 (GCVE-0-2026-6720)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:47 – Updated: 2026-05-28 17:04
VLAI
Title
Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
Summary
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Tigera | Calico |
Affected:
0 , < 3.32.0
(semver)
|
|
| Tigera | Calico Enterprise |
Affected:
0 , < 3.21.7
(semver)
Unaffected: 3.22.3 (semver) |
|
| Tigera | Calico Cloud |
Affected:
0 , < 22.4.0
(semver)
|
Date Public
2026-05-28 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:04:05.727153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:04:11.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Calico",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.32.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Enterprise",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.22.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Cloud",
"vendor": "Tigera",
"versions": [
{
"lessThan": "22.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.32.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.4.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "Anthony Tam"
}
],
"datePublic": "2026-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eWhen \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e is invoked with \u003c/span\u003e\u003cspan\u003e--log-level=info\u003c/span\u003e\u003cspan\u003e or \u003c/span\u003e\u003cspan\u003e--log-level=debug\u003c/span\u003e\u003cspan\u003e, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e \u2014 can extract these credentials with zero Kubernetes privilege. \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e\u0027s default log level is \u003c/span\u003e\u003cspan\u003epanic\u003c/span\u003e\u003cspan\u003e, so this issue only triggers when verbose logging is explicitly enabled.\u003c/span\u003e"
}
],
"value": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:47:42.519Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12535"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12536"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12537"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tigera.io/security-bulletins/tta-2026-003/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Calicoctl leaks cluster credentials to stderr when verbose logging is enabled",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2026-6720",
"datePublished": "2026-05-28T15:47:42.519Z",
"dateReserved": "2026-04-20T19:31:31.065Z",
"dateUpdated": "2026-05-28T17:04:11.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-6720",
"date": "2026-06-02",
"epss": "0.00025",
"percentile": "0.07381"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-6720\",\"sourceIdentifier\":\"psirt@tigera.io\",\"published\":\"2026-05-28T17:16:33.490\",\"lastModified\":\"2026-05-29T15:39:34.620\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt@tigera.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"psirt@tigera.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"references\":[{\"url\":\"https://github.com/projectcalico/calico/pull/12535\",\"source\":\"psirt@tigera.io\"},{\"url\":\"https://github.com/projectcalico/calico/pull/12536\",\"source\":\"psirt@tigera.io\"},{\"url\":\"https://github.com/projectcalico/calico/pull/12537\",\"source\":\"psirt@tigera.io\"},{\"url\":\"https://www.tigera.io/security-bulletins/tta-2026-003/\",\"source\":\"psirt@tigera.io\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6720\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-28T17:04:05.727153Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-28T17:04:08.496Z\"}}], \"cna\": {\"title\": \"Calicoctl leaks cluster credentials to stderr when verbose logging is enabled\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Behnam Shobiri\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Behnam Shobiri\"}, {\"lang\": \"en\", \"type\": \"remediation verifier\", \"value\": \"Anthony Tam\"}], \"impacts\": [{\"capecId\": \"CAPEC-150\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-150 Collect Data from Common Resource Locations\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Tigera\", \"product\": \"Calico\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.32.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Tigera\", \"product\": \"Calico Enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.21.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"3.22.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"Tigera\", \"product\": \"Calico Cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"22.4.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2026-05-28T16:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/projectcalico/calico/pull/12535\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/projectcalico/calico/pull/12536\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/projectcalico/calico/pull/12537\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.tigera.io/security-bulletins/tta-2026-003/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \\u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \\u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \\u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan\u003eWhen \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e is invoked with \u003c/span\u003e\u003cspan\u003e--log-level=info\u003c/span\u003e\u003cspan\u003e or \u003c/span\u003e\u003cspan\u003e--log-level=debug\u003c/span\u003e\u003cspan\u003e, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e uses to talk to the cluster \\u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \\u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e \\u2014 can extract these credentials with zero Kubernetes privilege. \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e\u0027s default log level is \u003c/span\u003e\u003cspan\u003epanic\u003c/span\u003e\u003cspan\u003e, so this issue only triggers when verbose logging is explicitly enabled.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.32.0\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.21.7\", \"versionStartIncluding\": \"0\"}, {\"criteria\": \"cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*\", \"vulnerable\": false}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"22.4.0\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"e6d453f4-3dae-4941-bcea-9af25f4e824d\", \"shortName\": \"Tigera\", \"dateUpdated\": \"2026-05-28T15:47:42.519Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-6720\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-28T17:04:11.659Z\", \"dateReserved\": \"2026-04-20T19:31:31.065Z\", \"assignerOrgId\": \"e6d453f4-3dae-4941-bcea-9af25f4e824d\", \"datePublished\": \"2026-05-28T15:47:42.519Z\", \"assignerShortName\": \"Tigera\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…