CVE-2026-41184
Published:May 28, 2026
Updated:June 13, 2026
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNT_TOKEN placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
Affected Packages
https://github.com/projectcalico/calico.git (GITHUB):
Affected version(s) >=v0.0.1-alpha-confd <v3.32.0Fix Suggestion:
Update to version v3.32.0github.com/projectcalico/calico (GO):
Affected version(s) >=v0.0.0-20131006224316-1b25e25e6002 <v3.32.0Fix Suggestion:
Update to version v3.32.0Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Insertion of Sensitive Information into Log File
EPSS
Base Score:
0.05