CVE-2026-41184
Calico's CNI installer container accidentally logs Kubernetes ServiceAccount tokens to standard output during deployment, specifically when using Canal or Flannel-Calico configurations. Any user with permission to view pod logs in the affected namespace can retrieve this token, which grants the ability to modify pod annotations—a vector for attacking workloads in your cluster. The vulnerability is a regression of a previously fixed issue and does not affect deployments using the default kubeconfig authentication method.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-532
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The install-cni init container in Calico performs template substitution of the __SERVICEACCOUNT_TOKEN__ placeholder with the live bearer token before logging the rendered CNI configuration to stdout. This token possesses patch privileges on the pods/status subresource, enabling annotation-based manipulation of pod metadata. Exploitation requires pods/log permission within the namespace running calico-node, making it accessible to any authenticated cluster user with that permission boundary. The kubeconfig-based authentication path is unaffected because it does not expose the token in rendered output.
Business impact
Unauthorized modification of pod annotations by authenticated users can enable privilege escalation, workload tampering, or lateral movement within the cluster. The blast radius depends on RBAC configuration but is contained to users already holding pods/log permissions. Organizations running Canal or Flannel-Calico deployments face elevated risk of annotation-based attacks against production workloads, potentially compromising application integrity and security posture without visibility into token exfiltration.
Affected systems
Tigera Calico deployments using Canal or Flannel-Calico CNI configuration templates are affected. Standard kubeconfig-based Calico deployments are not vulnerable. The exposure depends on the presence of authenticated users with pods/log permission in namespaces where calico-node operates, typically kube-system or a dedicated calico namespace.
Exploitability
Exploitation requires two preconditions: (1) a Calico deployment using the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico), and (2) authenticated access to view pod logs in the calico-node namespace. No network traversal or privilege escalation is needed to extract the token—a simple `kubectl logs` command suffices for an authorized user. Once obtained, the token can be used to patch pod annotations cluster-wide, making this a low-complexity, high-impact path for users already inside the authentication boundary.
Remediation
Upgrade Calico to a patched version that suppresses sensitive token output from the install-cni container logs (verify against the vendor advisory for the specific version). Alternatively, restrict pods/log permissions on the calico-node namespace to only cluster administrators and essential monitoring systems, reducing the number of users who can extract the token. Review RBAC policies to ensure least-privilege access to pod logs in system namespaces.
Patch guidance
Consult the Tigera Calico security advisory and release notes for the specific patched version addressing this regression. Apply the patch to all Canal or Flannel-Calico deployments in your environment. Verify that the install-cni container no longer outputs tokens by inspecting pod logs after upgrade. Test thoroughly in a staging environment to confirm CNI configuration rendering continues to function correctly.
Detection guidance
Monitor install-cni pod logs for presence of bearer token patterns (long alphanumeric strings prefixed with 'eyJ' in base64 format). Audit RBAC assignments for pods/log permissions in calico-node namespaces and identify users holding such access. Query audit logs for suspicious use of retrieved tokens to patch pod/status resources outside normal operational windows. Correlate token extraction with subsequent annotation modifications on pods in target namespaces.
Why prioritize this
Although the CVSS score is moderate (6.5), this vulnerability enables lateral movement and workload tampering for authenticated cluster users, representing a meaningful insider threat in multi-tenant or team-based Kubernetes environments. The regression status and low attack complexity warrant prompt patching to prevent exploitation chains targeting pod integrity.
Risk score, explained
CVSS 6.5 (Medium) reflects a network-accessible vulnerability requiring low privileges and no user interaction, with high confidentiality impact (token disclosure) but no direct integrity or availability impact in the initial exposure. However, the downstream annotation-based attacks enabled by the token increase practical severity; prioritization should account for your cluster's RBAC posture and the sensitivity of workloads in affected namespaces.
Frequently asked questions
Does this affect all Calico deployments?
No. Only Calico deployments using Canal or Flannel-Calico CNI configurations that rely on the __SERVICEACCOUNT_TOKEN__ placeholder are vulnerable. Standard kubeconfig-based Calico installations are not affected.
What can an attacker do with the exposed token?
The token holds patch privileges on pod/status resources, allowing an attacker to modify pod annotations. This can be leveraged for annotation-based attacks, workload disruption, or potentially to inject malicious metadata that downstream controllers might act upon.
How can we reduce risk before patching?
Restrict pods/log permissions in the calico-node namespace to only administrators and essential monitoring services. Use RBAC to limit which users can view logs from system namespaces, reducing the population of users who can extract the token.
Is this a known issue that was previously fixed?
Yes. This is a regression of TTA-2018-001, indicating that a similar vulnerability was previously resolved. This underscores the importance of comprehensive testing during refactoring or template changes.
This analysis is provided for informational purposes and should not be construed as legal or definitive security guidance. Verify all patch versions, CVSS scores, and affected products against official vendor advisories before making remediation decisions. Testing in a non-production environment is strongly recommended before applying patches to production clusters. SEC.co assumes no liability for reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41185MEDIUM
CVE-2026-41185: Calico Azure IPAM Plaintext Credential Logging Vulnerability
- CVE-2026-40619HIGH
CVE-2026-40619: Genetec Security Center Admin Credential Disclosure (Build-Based Vulnerability)
- CVE-2018-25384MEDIUM
CVE-2018-25384: Stored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUM
CVE-2018-25387: HaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUM
CVE-2018-25393: Navigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUM
CVE-2018-25397: CSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUM
CVE-2018-25421: Open STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUM
CVE-2018-25423: Buffer Overflow Denial of Service in Arm Whois 3.11