Advisories for Golang/Github.com/Kumahq/Kuma package

2026

Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material.

2023

github.com/kumahq/kuma affected by CVE-2023-44487

Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames. This can be exercised if you use the builtin gateway and receive untrusted http2 traffic.

Duplicate

This advisory duplicates another.