These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-6720 is a HIGH-severity information disclosure vulnerability in calicoctl, the command-line tool for Project Calico. When verbose logging is explicitly enabled via `--log-level=info` or `--log-level=debug`, the tool prints its complete connection-configuration struct to stderr. This struct contains all authentication credentials used to communicate with the cluster, including inline kubeconfig wi [truncated]
When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After this mutation, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation—once per pod scheduled or terminated on the node [truncated]
A vulnerability in Calico's install-cni init container causes Kubernetes ServiceAccount bearer tokens to be logged to standard output when the CNI configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder. This affects Canal/Flannel-Calico deployments. The logged token grants patch privileges on pods/status, which can be exploited by any authenticated user with pods/log permission in the calico [truncated]