CVE 8.7 HIGH

Karmada Dashboard API Unauthorized Access Vulnerability_CVE-2025-62714

October 24, 2025 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data.

AI Analysis

Authentication bypass vulnerability in Karmada Dashboard API, allowing unauthenticated access to sensitive cluster information

Basic Information

ID CVE-2025-62714
Source GitHub_M
Published Oct 24, 2025 at 15:41
Modified Oct 24, 2025 at 17:29

Affected Product

Vendor karmada-io
Product dashboard
Version < 0.2.0
Affected Versions karmada-io dashboard < 0.2.0

CWE Classification

CWE-862

AI Assessment

AI Score 8.7 / 10
AI Severity High
Vendor karmada-io
Product Karmada Dashboard
Version < 0.2.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.