{"id":"CVE-2026-45021","summary":"Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin","details":"Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [\".*\"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.","aliases":["GHSA-3vcp-chfh-f6r2"],"modified":"2026-07-08T08:18:22.126419033Z","published":"2026-05-28T17:45:14.434Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45021.json","cwe_ids":["CWE-346","CWE-942"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45021.json"},{"type":"ADVISORY","url":"https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45021"},{"type":"FIX","url":"https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907"},{"type":"FIX","url":"https://github.com/kumahq/kuma/pull/16416"},{"type":"FIX","url":"https://github.com/kumahq/kuma/pull/16423"},{"type":"FIX","url":"https://github.com/kumahq/kuma/pull/16424"},{"type":"FIX","url":"https://github.com/kumahq/kuma/pull/16425"},{"type":"FIX","url":"https://github.com/kumahq/kuma/pull/16426"},{"type":"FIX","url":"https://github.com/kumahq/kuma/pull/16427"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kumahq/kuma","events":[{"introduced":"0"},{"introduced":"948e6a4391632607148f4dcdf7e9adce422a8075"},{"introduced":"77a25d52f5a6d1fd6df6e6d5ffa9ab8e3ce8456e"},{"introduced":"6b4779917a9f9f9a73ef959a22e243b9a14b4ba1"},{"introduced":"99bb946e09bcdf7f7e6c1275c8bf14206db77274"},{"fixed":"316b38f74fa56afa8017a5b9348d97128354d1a6"},{"fixed":"2fb87410c631ab1597802ca694c64bb5378316d7"},{"fixed":"5d3be278f7c9657586411b82ce10ea26f1278f4a"},{"fixed":"44f11393a9f2bd10c62265bab924c206f3e138d8"},{"fixed":"6fbb2b7181215751100d09ca4706a2fe2b58e174"},{"fixed":"8fefa8595d44eb68d922405702ed7a0826322907"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.7.25"},{"introduced":"2.9.0"},{"fixed":"2.9.15"},{"introduced":"2.11.0"},{"fixed":"2.11.13"},{"introduced":"2.12.0"},{"fixed":"2.12.10"},{"introduced":"2.13.0"},{"fixed":"2.13.5"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["2.9.14","v2.7.24","v2.12.9","v2.13.4","v2.11.12","v2.9.13","2.9.13","v2.7.23","v2.11.11","v2.12.8","v2.13.3","v2.7.22","2.9.12","v2.11.10","v2.12.7","v2.13.2","2.9.11","v2.13.1","v2.12.6","v2.11.9","v2.7.21","v2.13.0","v2.12.5","v2.7.20","v2.11.8","v2.12.4","2.12.3","2.11.7","2.7.19","2.12.2","2.12.1","2.9.10","2.11.6","2.7.18","2.12.0","2.11.5","2.9.9","2.7.17","2.9.8","2.11.4","2.7.16","2.9.7","2.7.15","2.11.3","2.11.2","2.11.1","2.9.6","2.7.14","2.11.0","2.7.13","2.9.5","2.7.12","2.9.4","2.9.3","2.7.11","2.9.2","2.7.10","2.9.1","2.7.9","2.9.0","2.7.8","2.7.7","2.7.6","2.7.5","2.7.4","2.7.3","2.7.2","2.7.1","2.7.0","1.5.0-rc1","1.4.0-rc1","1.2.0","1.2.0-rc1","1.0.0-rc2","1.0.0-rc1","080-preview-3","080-preview-2","080-preview-1","0.7.1","0.7.0","0.6.0","0.5.1","0.5.0","0.5.0-rc2","0.5.0-rc1","0.4.0","0.4.0-rc2","0.4.0-rc1","0.3.2","0.3.2-rc2","0.3.1","0.3.0","0.3.0-rc2","0.3.0-rc1","0.2.3-rc4","0.2.2","0.2.2-rc1","0.2.1","0.2.0","0.2.0-rc1","0.1.2","0.1.1","0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45021.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}