CVE-2026-42283 devspace-sh CVE debrief

Who should care

Developers and workstation users running DevSpace UI, especially anyone who may browse untrusted websites in the same browser while the DevSpace UI server is active.

Technical summary

According to the NVD record and the linked vendor advisory, DevSpace 6.3.20 is vulnerable and the issue is fixed in 6.3.21. The UI servers WebSocket accepted all origins by default, which allowed cross-origin browser-driven connections to the local service on 127.0.0.1:8090. NVD classifies the issue with CVSS 3.1 vector AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H and lists CWE-200 and CWE-306.

Defensive priority

High

Recommended defensive actions

• Upgrade DevSpace to 6.3.21 or later.
• Treat the DevSpace UI server as sensitive local attack surface until patched.
• Do not keep the DevSpace UI running while browsing untrusted sites in the same browser session.
• Verify any local-service exposure assumptions for DevSpace deployments and follow the vendor advisory guidance.

Evidence notes

The supplied corpus includes the NVD analyzed CVE record, which references the vendor advisory https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379 and identifies vulnerable version 6.3.20. The CVE was published on 2026-05-14 and modified on 2026-05-21; those dates are used here for disclosure timing context. No KEV entry is present in the supplied data.

Official resources