CVE-2026-6720

UNKNOWN 0.0

Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

CWE	CWE-532
Vendor	tigera
Product	calico
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for tigera calico

Be the first to know when new unknown vulnerabilities affecting tigera calico are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Tigera / Calico

0 < 3.32.0

Tigera / Calico Enterprise

0 < 3.21.7

Tigera / Calico Cloud

0 < 22.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/projectcalico/calico/pull/12535 github.com: https://github.com/projectcalico/calico/pull/12536 github.com: https://github.com/projectcalico/calico/pull/12537 tigera.io: https://www.tigera.io/security-bulletins/tta-2026-003/

Credits

Behnam Shobiri Behnam Shobiri Anthony Tam