Home

Description

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.

PUBLISHED Reserved 2026-04-17 | Published 2026-05-28 | Updated 2026-05-28 | Assigner Tigera




MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L

Problem types

CWE-532 Insertion of sensitive information into log file

Product status

Default status
affected

3.32.0 (semver)
unaffected

Any version before 3.31.6
affected

Credits

Behnam Shobiri finder

Behnam Shobiri remediation developer

Anthony Tam remediation reviewer

Matt Dupre remediation reviewer

Casey Davenport remediation verifier

References

github.com/projectcalico/calico/pull/12502 patch

github.com/projectcalico/calico/pull/12527 patch

github.com/projectcalico/calico/pull/12526 patch

www.tigera.io/security-bulletins/tta-2026-001/ vendor-advisory

cve.org (CVE-2026-41184)

nvd.nist.gov (CVE-2026-41184)

Download JSON