CVE-2026-45021

UNKNOWN 0.0

Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.

CWE	CWE-346 CWE-942
Vendor	kumahq
Product	kuma
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for kumahq kuma

Be the first to know when new unknown vulnerabilities affecting kumahq kuma are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

kumahq / kuma

< 2.7.25 >= 2.9.0, < 2.9.15 >= 2.11.0, < 2.11.13 >= 2.12.0, < 2.12.10 >= 2.13.0, < 2.13.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2 github.com: https://github.com/kumahq/kuma/pull/16416 github.com: https://github.com/kumahq/kuma/pull/16423 github.com: https://github.com/kumahq/kuma/pull/16424 github.com: https://github.com/kumahq/kuma/pull/16425 github.com: https://github.com/kumahq/kuma/pull/16426 github.com: https://github.com/kumahq/kuma/pull/16427 github.com: https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907