PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41185 Tigera CVE debrief

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After this mutation, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation—once per pod scheduled or terminated on the node. When the cluster uses token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node can extract these credentials, which grant cluster-wide Calico networking admin privileges.

Vendor
Tigera
Product
Calico
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Calico with Azure IPAM plugin on Kubernetes clusters using token-based authentication. Platform engineering teams, cluster administrators, and security operations teams responsible for container network security and credential management. Environments with multi-tenant node access or compliance requirements for credential protection.

Technical summary

The vulnerability exists in the Azure IPAM helper component of Calico's CNI plugin. During CNI ADD and DEL operations, the helper logs the complete stdinData configuration map at INFO level without redacting sensitive fields. When Kubernetes token-based authentication is configured, this map contains the ServiceAccount token, client key, and certificate authority data. The logs are written to /var/log/calico/cni/cni.log with permissions that may allow broader read access than intended. The logging occurs on every pod lifecycle event, creating repeated exposure of credentials. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L) reflects network accessibility, low attack complexity, privileged attack requirement, and high confidentiality impact.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Calico to a fixed version per Tigera security bulletin TTA-2026-002
  • Restrict file permissions on /var/log/calico/cni/cni.log to prevent unauthorized read access
  • Review and rotate any potentially exposed ServiceAccount tokens, client certificates, and CA certificates
  • Enable centralized log aggregation with appropriate access controls and redaction policies
  • Monitor for unauthorized access to Calico CNI log files on cluster nodes
  • Apply principle of least privilege to node-level file system access
  • Consider using short-lived tokens and certificate rotation to reduce credential exposure window

Evidence notes

CVE published 2026-05-28T17:16:22.670Z; modified 2026-05-28T18:55:06.837Z. Tigera PSIRT issued security bulletin TTA-2026-002. Multiple pull requests address the issue: #12502, #12526, #12527. CVSS 4.0 vector indicates network attack vector with low attack complexity, privileged attack requirement, and high confidentiality impact to the vulnerable component. CWE-532 (Insertion of Sensitive Information into Log File) identified as secondary weakness.

Official resources

2026-05-28