PatchSiren cyber security CVE debrief
CVE-2026-6720 Tigera CVE debrief
CVE-2026-6720 is a HIGH-severity information disclosure vulnerability in calicoctl, the command-line tool for Project Calico. When verbose logging is explicitly enabled via `--log-level=info` or `--log-level=debug`, the tool prints its complete connection-configuration struct to stderr. This struct contains all authentication credentials used to communicate with the cluster, including inline kubeconfig with bearer tokens, Kubernetes API bearer tokens, etcd passwords, and PEM-encoded etcd client certificates and keys. The vulnerability does not affect default configurations, as calicoctl's default log level is `panic`. The exposure occurs through stderr, which may be captured in CI/CD logs, session recordings, support transcripts, or local filesystem access. Any party with read access to these stderr outputs can extract credentials without requiring any Kubernetes privileges. The vulnerability was disclosed by Tigera's security team and is tracked as TTA-2026-003.
- Vendor
- Tigera
- Product
- Calico
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using calicoctl in CI/CD pipelines, automated remediation workflows, or interactive sessions with verbose logging enabled; platform teams managing Kubernetes networking infrastructure; security teams responsible for credential lifecycle management and log access controls; and support organizations that handle session recordings or transcript sharing.
Technical summary
The vulnerability exists in calicoctl's logging implementation. When log level is elevated from the default `panic` to `info` or `debug`, the tool uses a logging statement that serializes the entire `CalicoAPIConfig` struct. This struct embeds all connection credentials: inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. The serialized output is written to stderr as a single log line. Because stderr is commonly captured by CI systems, session recorders, and shell history, credentials become persistently stored in locations accessible to users who may lack direct Kubernetes access. The attack vector requires no Kubernetes privileges—only read access to the captured stderr stream. The vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File).
Defensive priority
HIGH
Recommended defensive actions
- Audit CI/CD pipelines, session recordings, and support ticket archives for historical calicoctl invocations with `--log-level=info` or `--log-level=debug` flags; rotate any credentials that may have been exposed in these
- Update calicoctl to a patched version incorporating the fixes from the referenced pull requests
- Review and restrict access to stderr outputs from calicoctl executions, particularly in shared environments
- Avoid using verbose logging levels in production or shared environments; use default `panic` log level where possible
- Implement log sanitization or masking controls for container networking tools that may emit sensitive configuration data
Evidence notes
The vulnerability description is derived from the official CVE record and Tigera's security bulletin. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H) indicates high confidentiality impact with subsequent system impacts. CWE-532 (Insertion of Sensitive Information into Log File) is identified as the weakness type. Three pull requests (12535, 12536, 12537) are referenced as remediation commits.
Official resources
2026-05-28