CVE-2026-41184

ADVISORY - github

Summary

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNT_TOKEN placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.

EPSS Score: 0.00504 (0.393)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Insertion of Sensitive Information into Log File

ADVISORY - github

Insertion of Sensitive Information into Log File


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in