CVE-2026-55883: Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream

June 19, 2026

The Tilt HUD WebSocket (/ws/view) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer’s session state.

References

github.com/advisories/GHSA-6m68-r693-78qx
github.com/tilt-dev/tilt/pull/6776
github.com/tilt-dev/tilt/releases/tag/v0.37.4
github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx
nvd.nist.gov/vuln/detail/CVE-2026-55883

Code Behaviors & Features

Detect and mitigate CVE-2026-55883 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →