{"id":"CVE-2026-44514","summary":"Kubetail: Cross-Site WebSocket Hijacking allows attacker to read Kubernetes logs from authenticated users","details":"Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. This is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability and affects both the desktop deployment (default http://localhost:7500) and cluster deployments (typically behind an Ingress with HTTP basic auth). This vulnerability is fixed in 0.14.0.","aliases":["GHSA-v8j7-hp7c-738f","GO-2026-5656"],"modified":"2026-07-08T08:05:14.732249939Z","published":"2026-05-14T16:20:11.743Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44514.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-1385"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44514.json"},{"type":"ADVISORY","url":"https://github.com/kubetail-org/kubetail/security/advisories/GHSA-v8j7-hp7c-738f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44514"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubetail-org/kubetail","events":[{"introduced":"0"},{"fixed":"f01248e5eb05917e36988fa5b51f1048aa57e2bc"},{"fixed":"55b5f444038bccef8567d4841587f14db9d9427a"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.14.0"},{"fixed":"0.16.0"}],"source":"AFFECTED_FIELD"}}],"versions":["dashboard/v0.15.0-rc2","dashboard/v0.15.0","cluster-api/v0.8.0-rc2","cluster-api/v0.8.0","cluster-agent/v0.7.0","cli/v0.17.0","dashboard/v0.15.0-rc1","cluster-api/v0.8.0-rc1","cluster-agent/v0.7.0-rc1","dashboard/v0.14.0-rc3","dashboard/v0.14.0","cluster-api/v0.7.0","cluster-api/v0.6.1-rc2","cli/v0.16.0","cli/v0.15.1-rc3","dashboard/v0.13.0","cluster-api/v0.6.0","cli/v0.15.0","dashboard/v0.12.1","cli/v0.14.1","dashboard/v0.12.0","cluster-api/v0.5.6","cli/v0.14.0","dashboard/v0.11.0","cluster-api/v0.5.5","cli/v0.13.0","dashboard/v0.10.2","cluster-api/v0.5.4","cli/v0.12.2","dashboard/v0.10.1-rc1","dashboard/v0.10.1","cluster-api/v0.5.3","cluster-agent/v0.6.2","dashboard/v0.10.0","cluster-api/v0.5.2","cli/v0.12.1","cli/v0.12.0","dashboard/v0.9.1","cluster-api/v0.5.1","cluster-agent/v0.6.1","cli/v0.11.1","dashboard/v0.9.0","cluster-api/v0.5.0","cluster-agent/v0.6.0","cli/v0.11.0","dashboard/v0.8.4","cluster-api/v0.4.6","cluster-agent/v0.5.2","dashboard/v0.8.4-rc1","dashboard/v0.8.3","cluster-api/v0.4.5","cli/v0.10.1","dashboard/v0.8.2","dashboard/v0.8.1","cluster-api/v0.4.4","cluster-agent/v0.5.1","dashboard/v0.8.0","cli/v0.10.0","dashboard/v0.7.4","dashboard/v0.7.3","cli/v0.9.0","dashboard/v0.7.3-rc1","dashboard/v0.7.2","cli/v0.8.2","dashboard/v0.7.1","cli/v0.8.1","dashboard/v0.7.0","cluster-api/v0.4.3","cluster-agent/v0.5.0","cli/v0.8.0","cluster-agent/v0.5.0-rc3","cli/v0.7.5","cluster-api/v0.4.3-rc2","cluster-agent/v0.5.0-rc2","cluster-agent/v0.5.0-rc1","dashboard/v0.6.4","cli/v0.7.4","dashboard/v0.6.3-rc4","dashboard/v0.6.3","cluster-api/v0.4.2-rc4","cluster-api/v0.4.2","cluster-agent/v0.4.2-rc4","cluster-agent/v0.4.2","cli/v0.7.3-rc5","cli/v0.7.3","dashboard/v0.6.3-rc3","cluster-api/v0.4.2-rc3","cluster-agent/v0.4.2-rc3","cli/v0.7.3-rc4","dashboard/v0.6.3-rc2","cluster-api/v0.4.2-rc2","cluster-agent/v0.4.2-rc2","cli/v0.7.2-rc3","cli/v0.7.2-rc2","dashboard/v0.6.3-rc1","cluster-api/v0.4.2-rc1","cluster-agent/v0.4.2-rc1","cli/v0.7.2-rc1","dashboard/v0.6.1","cluster-api/v0.4.1","cluster-agent/v0.4.1","dashboard/v0.6.2","cli/v0.7.1","dashboard/v0.6.0","cluster-api/v0.4.0","cluster-agent/v0.4.0","cli/v0.7.0","dashboard/v0.5.0","cluster-api/v0.3.0","cluster-agent/v0.3.0","dashboard/v0.5.0-rc1","cluster-api/v0.3.0-rc1","cluster-agent/v0.3.0-rc1","cli/v0.6.0","dashboard/v0.4.5","dashboard/v0.4.4-rc1","dashboard/v0.4.4","cluster-api/v0.2.4-rc1","cluster-api/v0.2.4","cluster-agent/v0.2.2-rc1","cluster-agent/v0.2.2","dashboard/v0.4.3-rc1","dashboard/v0.4.3","cluster-api/v0.2.3-rc1","cluster-api/v0.2.3","cluster-agent/v0.2.1-rc1","cluster-agent/v0.2.1","cli/v0.5.3","dashboard/v0.4.2","cli/v0.5.2","dashboard/v0.4.1","cluster-api/v0.2.2-rc1","cluster-api/v0.2.2","cli/v0.5.1-rc2","cli/v0.5.1","dashboard/v0.4.0","cli/v0.5.0","cli/v0.4.5","cli/v0.4.4","dashboard/v0.3.1","cluster-api/v0.2.1","cli/v0.4.3","cli/v0.4.2","cli/v0.4.1","dashboard/v0.3.0","cluster-api/v0.2.0","cluster-agent/v0.2.0","cli/v0.4.0","dashboard/v0.2.3","cluster-api/v0.1.5","cluster-agent/v0.1.5","cli/v0.3.3","dashboard/v0.2.2","cli/v0.3.2","dashboard/v0.2.1","cli/v0.3.1","dashboard/v0.2.0","cli/v0.3.0","dashboard/v0.1.9","cli/v0.2.3","dashboard/v0.1.8","cli/v0.2.2","cli/v0.2.1","dashboard/v0.1.7","cluster-api/v0.1.4","cluster-agent/v0.1.4","cli/v0.2.0","dashboard/v0.1.6","cluster-api/v0.1.3","cluster-agent/v0.1.3","cli/v0.1.5","dashboard/v0.1.5","cli/v0.1.4","dashboard/v0.1.4","cluster-api/v0.1.2","cluster-agent/v0.1.2","cli/v0.1.3","dashboard/v0.1.3","cli/v0.1.2","dashboard/v0.1.2","cli/v0.1.1","dashboard/v0.1.1","cluster-api/v0.1.1","cluster-agent/v0.1.1","cli/v0.1.0","dashboard/v0.1.0-rc3","dashboard/v0.1.0","cluster-api/v0.1.0","cluster-agent/v0.1.0","dashboard/v0.1.0-rc2","dashboard/v0.1.0-rc1","cluster-api/v0.1.0-rc1","cluster-agent/v0.1.0-rc1","cli/v0.0.9","cli/v0.0.8-rc2","cli/v0.0.8","server/v0.10.0-rc1","cli/v0.0.8-rc1","server/v0.9.3","cli/v0.0.7","server/v0.9.2","cli/v0.0.6","server/v0.9.1","cli/v0.0.5","server/v0.9.0-rc1","server/v0.9.0","agent/v0.9.0-rc1","agent/v0.9.0","cli/v0.0.4","cli/v0.0.3","cli/v0.0.2","cli/v0.0.1","0.8.0-rc2","0.7.2","0.7.1","0.7.0","0.6.3","0.6.2","0.6.1","0.6.0","0.5.4","0.5.3","0.5.2","0.5.1","0.5.0","0.4.6","0.4.5","0.4.4","0.4.3","0.4.2","0.4.1","0.4.0","0.3.1","0.3.0","0.2.0","0.1.9","0.1.8","0.1.7","0.1.6","0.1.5","0.1.4","0.1.3","0.1.2","0.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44514.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}