Home

Description

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.

PUBLISHED Reserved 2026-06-17 | Published 2026-07-10 | Updated 2026-07-14 | Assigner GitHub_M




HIGH: 8.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-345: Insufficient Verification of Data Authenticity

Product status

>= 0.24.0, < 0.37.4
affected

References

github.com/...v/tilt/security/advisories/GHSA-6m68-r693-78qx

github.com/tilt-dev/tilt/pull/6776

github.com/...ommit/47393fba7f6ef5e305d5e814551feef8e4acbc0a

github.com/tilt-dev/tilt/releases/tag/v0.37.4

cve.org (CVE-2026-55883)

nvd.nist.gov (CVE-2026-55883)

Download JSON