CVE-2026-42283
DevSpace UI Server WebSocket CheckOrigin does not validate source
CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th
DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21.
| CWE | CWE-306 CWE-200 |
| Vendor | devspace-sh |
| Product | devspace |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for devspace-sh devspace
Be the first to know when new high vulnerabilities affecting devspace-sh devspace are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
devspace-sh / devspace
< 6.3.21