216.73.216.128

CVE-2026-6720

· Published 28/05/2026 17:16 · Modified 29/05/2026 15:39

Labels: CVE-2026-6720 2026-05-28CVE-2026-6720CWE-532[email protected]

Essential information

Published
28/05/2026 17:16
Modified
29/05/2026 15:39
Author
Creator
CVSS
7.2 HIGH (v3) 7.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
calico / calicoctl cpe:2.3:a:calico:calicoctl:*:*:*:*:*:*:*:*
tigera / calico-ctl cpe:2.3:a:tigera:calico-ctl:*:*:*:*:*:*:*:*

References