MEDIUM
kumahq
CVE published 2026-05-28
CVE-2026-45021
A cross-origin information disclosure vulnerability in Kuma service mesh control plane (kuma-cp) allows malicious websites to steal administrative credentials. The default configuration permits any origin via CorsAllowedDomains: [.*] and treats localhost requests as administrative (LocalhostIsAdmin: true). When an operator visits a malicious webpage while the control plane is browser-reachable, the page c [truncated]