PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55883 tilt-dev CVE debrief

CVE-2026-55883 is a high-severity vulnerability affecting Tilt, a tool for defining dev environments as code for microservice apps on Kubernetes. The issue exists in versions 0.24.0 through 0.37.3, where the Tilt HUD WebSocket at /ws/view, gated by a CSRF token, can be exploited by an attacker who can reach the listener when the HUD is network-exposed. This allows the attacker to open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. The vulnerability is fixed in version 0.37.4. Users of Tilt versions 0.24.0 through 0.37.3 who expose the HUD to the network should be aware of this vulnerability and take immediate action to mitigate the risk.

Vendor
tilt-dev
Product
tilt
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Tilt versions 0.24.0 through 0.37.3 who expose the HUD to the network should be aware of this vulnerability and take immediate action to mitigate the risk. This includes administrators, developers, and security teams responsible for managing and securing Tilt environments. They should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. They should also plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Technical summary

The Tilt HUD WebSocket at /ws/view is gated by a CSRF token, which is served by the unauthenticated /api/websocket_token endpoint. The upgrader accepts clients that omit an Origin header, allowing an attacker who can reach the listener to open the HUD WebSocket and receive the full view stream. This includes sensitive information such as session state, Tiltfile contents, resource statuses, and continued updates. The vulnerability is fixed in version 0.37.4.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Tilt version 0.37.4 or later
  • Limit network exposure of the Tilt HUD
  • Implement additional security measures to protect against CSRF attacks
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-10T22:16:44.287Z and has not been modified since then. The NVD entry is currently 8.3 HIGH. This vulnerability affects Tilt versions 0.24.0 through 0.37.3. The Tilt HUD WebSocket at /ws/view is gated by a CSRF token, which is served by the unauthenticated /api/websocket_token endpoint. The upgrader accepts clients that omit an Origin header, allowing an attacker who can reach the listener to open the HUD WebSocket and receive the full view stream. This includes sensitive information such as session state, Tiltfile contents, resource statuses, and continued updates. Users of Tilt versions 0.24.0 through 0.37.3 who expose the HUD to the network should be aware of this vulnerability and take immediate action to mitigate the risk. The vulnerability is fixed in version 0.37.4.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:44.287Z and has not been modified since then.