Calicoctl leaks cluster credentials to stderr when verbose logging is...

7.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Description

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

Basic Information

ID CVE-2026-6720

Source Tigera

Published May 28, 2026 at 15:47

Affected Product

Vendor Tigera

Product Calico

Affected Versions Tigera Calico 0
Tigera Calico Enterprise 0
Tigera Calico Cloud 0

CWE Classification

CWE-532

References

{
    "lastseen": "",
    "description": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.",
    "published": "2026-05-28T15:47:42.519Z",
    "modified": "2026-05-28T15:47:42.519Z",
    "type": "cve",
    "title": "Calicoctl leaks cluster credentials to stderr when verbose logging is enabled",
    "source": "Tigera",
    "references": "https://github.com/projectcalico/calico/pull/12535\nhttps://github.com/projectcalico/calico/pull/12536\nhttps://github.com/projectcalico/calico/pull/12537\nhttps://www.tigera.io/security-bulletins/tta-2026-003/",
    "id": "CVE-2026-6720",
    "bulletinFamily": "",
    "cwe": [
        "CWE-532"
    ],
    "cvelist": null,
    "sourceData": "Tigera Calico 0\nTigera Calico Enterprise 0\nTigera Calico Cloud 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Calico",
    "version": "0",
    "vendor": "Tigera",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Calicoctl leaks cluster credentials to stderr when verbose logging is enabled_CVE-2026-6720