CVE-2026-45021: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
(updated )
Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material.
References
- github.com/advisories/GHSA-3vcp-chfh-f6r2
- github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907
- github.com/kumahq/kuma/pull/16416
- github.com/kumahq/kuma/pull/16423
- github.com/kumahq/kuma/pull/16424
- github.com/kumahq/kuma/pull/16425
- github.com/kumahq/kuma/pull/16426
- github.com/kumahq/kuma/pull/16427
- github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2
- nvd.nist.gov/vuln/detail/CVE-2026-45021
Code Behaviors & Features
Detect and mitigate CVE-2026-45021 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →