{"id":"CVE-2026-6720","summary":"Calicoctl leaks cluster credentials to stderr when verbose logging is enabled","details":"When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.","aliases":["GHSA-3m4q-ggcj-j6m4","GO-2026-5893"],"modified":"2026-07-15T01:49:06.037746769Z","published":"2026-05-28T15:47:42.519Z","related":["CGA-4r4g-r9vj-3rp9"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6720.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"3.21.7"},{"fixed":"22.4.0"}]}],"cna_assigner":"Tigera","cwe_ids":["CWE-532"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6720.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6720"},{"type":"ADVISORY","url":"https://www.tigera.io/security-bulletins/tta-2026-003/"},{"type":"FIX","url":"https://github.com/projectcalico/calico/pull/12535"},{"type":"FIX","url":"https://github.com/projectcalico/calico/pull/12536"},{"type":"FIX","url":"https://github.com/projectcalico/calico/pull/12537"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/projectcalico/calico","events":[{"introduced":"0"},{"fixed":"eb1cf57823a1dd8d25c48b82fd023ea9e3e17996"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"3.32.0"}]}}],"versions":["v3.32.0-0.dev","v3.31.0-0.dev","v3.30.0-0.dev","v3.29.0-0.dev","v3.28.0-0.dev","v3.27.0-0.dev","v3.25.0-0.dev","v3.24.0-0.dev","v3.18.5-calico","v3.18.5","v3.17.5-calico","v3.17.5","v3.18.1-calico","v3.18.1","v3.16.5-calico","v3.16.5","v3.16.0-calico","v3.16.0","v3.11.1-calico","v3.11.1","v3.9.4-calico","v3.9.4","v3.8.5-calico","v3.8.5","v3.10.2-calico","v3.10.2","v3.10.0-calico","v3.10.0","v3.9.0-calico","v3.9.0","v3.3.7-calico","v3.3.7","v3.2.8-calico","v3.2.8","v3.1.7-calico","v3.1.7","v3.0.12-calico","v3.0.12","v3.2.0-calico","v3.2.0","v3.0.1-calico","v3.0.1","v3.0.0-calico","v3.0.0","v2.6.2-calico","v2.6.2","v3.0.0-alpha1-rc1-calico","v3.0.0-alpha1-rc1","v2.6.0-calico","v2.6.0","v2.6.0-rc2-calico","v2.6.0-rc2","v2.6.0-rc1-calico","v2.6.0-rc1","v2.5.0-calico","v2.5.0","v2.5.0-rc2-calico","v2.5.0-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6720.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"}]}