CVE-2026-42283: DevSpace UI Server WebSocket CheckOrigin does not validate source

May 6, 2026

DevSpace’s UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This allows an attacker to access:

/api/logs to stream real-time pod logs
/api/enter to open an interactive shell inside the running pod
/api/command to execute pre-defined pipeline commands

References

github.com/advisories/GHSA-hqwm-7x7x-8379
github.com/devspace-sh/devspace
github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379
nvd.nist.gov/vuln/detail/CVE-2026-42283

Code Behaviors & Features

Detect and mitigate CVE-2026-42283 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →