CVE-2026-55884: Tilt: Missing authentication on the network-exposed Tilt HUD server

June 19, 2026

The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer’s pre-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state including the session token, and reach the Tilt apiserver through a token-attaching proxy.

References

github.com/advisories/GHSA-c73q-8xxr-rgqm
github.com/tilt-dev/tilt/pull/6776
github.com/tilt-dev/tilt/releases/tag/v0.37.4
github.com/tilt-dev/tilt/security/advisories/GHSA-c73q-8xxr-rgqm
nvd.nist.gov/vuln/detail/CVE-2026-55884

Code Behaviors & Features

Detect and mitigate CVE-2026-55884 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →