CVE-2026-55884
Tilt: Missing authentication on the network-exposed Tilt HUD server
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
| CWE | CWE-306 |
| Vendor | tilt-dev |
| Product | tilt |
| Published | Jul 10, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for tilt-dev tilt
Be the first to know when new unknown vulnerabilities affecting tilt-dev tilt are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
tilt-dev / tilt
>= 0.20.8, < 0.37.4