Home

Description

kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster metadata. This issue is solved in versions 2.0.5 and 2.1.0.

PUBLISHED Reserved 2025-10-30 | Published 2025-11-07 | Updated 2025-11-07 | Assigner GitHub_M




MEDIUM: 5.3CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-862: Missing Authorization

Product status

>= 2.1.0-agw-cel-rbac, < 2.1.0
affected

< 2.0.5
affected

References

github.com/...ateway/security/advisories/GHSA-4766-x535-jw3r

github.com/kgateway-dev/kgateway/issues/10651

github.com/kgateway-dev/kgateway/pull/12471

github.com/kgateway-dev/kgateway/pull/12535

cve.org (CVE-2025-64323)

nvd.nist.gov (CVE-2025-64323)

Download JSON