Home

Description

Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.

PUBLISHED Reserved 2025-10-20 | Published 2025-10-24 | Updated 2025-10-24 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

< 0.2.0
affected

References

github.com/...hboard/security/advisories/GHSA-5qjg-9mjh-4r92

github.com/karmada-io/dashboard/pull/271

github.com/karmada-io/dashboard/pull/280

github.com/...ommit/8457b8bb87725e2371a638ca5a255fd2895c70f1

github.com/...ommit/d2d04909f25e96b4c20fa6b636c398bd1636ee06

github.com/karmada-io/dashboard/releases/tag/v0.2.0

cve.org (CVE-2025-62714)

nvd.nist.gov (CVE-2025-62714)

Download JSON