PatchSiren cyber security CVE debrief
CVE-2026-55882 tilt-dev CVE debrief
CVE-2026-55882 is a vulnerability in Tilt dev environments as code for microservice apps on Kubernetes. From version 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. The vulnerability is fixed in version 0.37.4.
- Vendor
- tilt-dev
- Product
- tilt
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Tilt dev environments as code for microservice apps on Kubernetes, especially those with network-exposed HUD or apiserver listeners, should be aware of this vulnerability and take necessary precautions to mitigate it. This includes immediately upgrading to Tilt version 0.37.4 or later, limiting network exposure of HUD and apiserver listeners, implementing access controls for /debug handlers, monitoring for suspicious activity, and inventorying Tilt installations for vulnerability.
Technical summary
The Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control from version 0.19.5 through 0.37.3. This allows unauthenticated callers to read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace when the HUD or apiserver listener is network-exposed. Users should be aware of the potential risks and take necessary precautions to mitigate the vulnerability.
Defensive priority
High
Recommended defensive actions
- Immediately upgrade to Tilt version 0.37.4 or later
- Limit network exposure of HUD and apiserver listeners
- Implement access controls for /debug handlers
- Monitor for suspicious activity
- Inventory Tilt installations for vulnerability
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is based on official CVE and NVD records, as well as source references from GitHub. The CVE record was published on 2026-07-10T22:16:44.113Z and has not been modified since then. The vulnerability affects Tilt dev environments as code for microservice apps on Kubernetes, specifically versions from 0.19.5 through 0.37.3. The Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control, allowing unauthenticated callers to read process memory and degrade performance when the HUD or apiserver listener is network-exposed.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:44.113Z and has not been modified since then.