CVE-2026-45021 kumahq CVE debrief

Who should care

Kuma service mesh operators, platform engineers, DevSecOps teams, and organizations running kuma-cp in development or production environments with browser-accessible control planes.

Technical summary

The kuma-cp control plane's default configuration combines overly permissive CORS (CorsAllowedDomains accepting any origin) with localhost administrative elevation (LocalhostIsAdmin: true). This creates a cross-origin information disclosure vector: malicious JavaScript on any website can fetch administrative endpoints from 127.0.0.1, receive CORS headers permitting the request, and extract the bootstrap admin JWT and signing keys. The attack requires the victim operator to visit the malicious page while kuma-cp is reachable from their browser—typically when port-forwarding or local development exposes the API server.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade kuma-cp to patched versions: 2.7.25, 2.9.15, 2.11.13, 2.12.10, or 2.13.5
• Restrict kuma-cp network exposure to prevent browser reachability
• Review and harden CORS configuration: replace CorsAllowedDomains: [.*] with explicit allowed origins
• Disable LocalhostIsAdmin or restrict to secure administrative interfaces only
• Audit existing admin tokens and rotate signing keys if compromise suspected
• Monitor for unauthorized cross-origin requests to kuma-cp administrative endpoints

Evidence notes

CVE description confirms default kuma-cp configuration with CorsAllowedDomains: [.*] and LocalhostIsAdmin: true enables cross-origin credential theft. GitHub Security Advisory GHSA-3vcp-chfh-f6r2 and multiple pull requests (16416, 16423-16427) provide patch verification. CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N reflects network attack with low complexity, no privileges required, but user interaction needed for victim to visit malicious page.

Official resources