MEDIUM 6.5

CVE-2026-41184

Calico's CNI installer container accidentally logs Kubernetes ServiceAccount tokens to standard output during deployment, specifically when using Canal or Flannel-Calico configurations. Any user with permission to view pod logs in the affected namespace can retrieve this token, which grants the ability to modify pod annotations—a vector for attacking workloads in your cluster. The vulnerability is a regression of a previously fixed issue and does not affect deployments using the default kubeconfig authentication method.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-532
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The install-cni init container in Calico performs template substitution of the __SERVICEACCOUNT_TOKEN__ placeholder with the live bearer token before logging the rendered CNI configuration to stdout. This token possesses patch privileges on the pods/status subresource, enabling annotation-based manipulation of pod metadata. Exploitation requires pods/log permission within the namespace running calico-node, making it accessible to any authenticated cluster user with that permission boundary. The kubeconfig-based authentication path is unaffected because it does not expose the token in rendered output.

Business impact

Unauthorized modification of pod annotations by authenticated users can enable privilege escalation, workload tampering, or lateral movement within the cluster. The blast radius depends on RBAC configuration but is contained to users already holding pods/log permissions. Organizations running Canal or Flannel-Calico deployments face elevated risk of annotation-based attacks against production workloads, potentially compromising application integrity and security posture without visibility into token exfiltration.

Affected systems

Tigera Calico deployments using Canal or Flannel-Calico CNI configuration templates are affected. Standard kubeconfig-based Calico deployments are not vulnerable. The exposure depends on the presence of authenticated users with pods/log permission in namespaces where calico-node operates, typically kube-system or a dedicated calico namespace.

Exploitability

Exploitation requires two preconditions: (1) a Calico deployment using the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico), and (2) authenticated access to view pod logs in the calico-node namespace. No network traversal or privilege escalation is needed to extract the token—a simple `kubectl logs` command suffices for an authorized user. Once obtained, the token can be used to patch pod annotations cluster-wide, making this a low-complexity, high-impact path for users already inside the authentication boundary.

Remediation

Upgrade Calico to a patched version that suppresses sensitive token output from the install-cni container logs (verify against the vendor advisory for the specific version). Alternatively, restrict pods/log permissions on the calico-node namespace to only cluster administrators and essential monitoring systems, reducing the number of users who can extract the token. Review RBAC policies to ensure least-privilege access to pod logs in system namespaces.

Patch guidance

Consult the Tigera Calico security advisory and release notes for the specific patched version addressing this regression. Apply the patch to all Canal or Flannel-Calico deployments in your environment. Verify that the install-cni container no longer outputs tokens by inspecting pod logs after upgrade. Test thoroughly in a staging environment to confirm CNI configuration rendering continues to function correctly.

Detection guidance

Monitor install-cni pod logs for presence of bearer token patterns (long alphanumeric strings prefixed with 'eyJ' in base64 format). Audit RBAC assignments for pods/log permissions in calico-node namespaces and identify users holding such access. Query audit logs for suspicious use of retrieved tokens to patch pod/status resources outside normal operational windows. Correlate token extraction with subsequent annotation modifications on pods in target namespaces.

Why prioritize this

Although the CVSS score is moderate (6.5), this vulnerability enables lateral movement and workload tampering for authenticated cluster users, representing a meaningful insider threat in multi-tenant or team-based Kubernetes environments. The regression status and low attack complexity warrant prompt patching to prevent exploitation chains targeting pod integrity.

Risk score, explained

CVSS 6.5 (Medium) reflects a network-accessible vulnerability requiring low privileges and no user interaction, with high confidentiality impact (token disclosure) but no direct integrity or availability impact in the initial exposure. However, the downstream annotation-based attacks enabled by the token increase practical severity; prioritization should account for your cluster's RBAC posture and the sensitivity of workloads in affected namespaces.

Frequently asked questions

Does this affect all Calico deployments?

No. Only Calico deployments using Canal or Flannel-Calico CNI configurations that rely on the __SERVICEACCOUNT_TOKEN__ placeholder are vulnerable. Standard kubeconfig-based Calico installations are not affected.

What can an attacker do with the exposed token?

The token holds patch privileges on pod/status resources, allowing an attacker to modify pod annotations. This can be leveraged for annotation-based attacks, workload disruption, or potentially to inject malicious metadata that downstream controllers might act upon.

How can we reduce risk before patching?

Restrict pods/log permissions in the calico-node namespace to only administrators and essential monitoring services. Use RBAC to limit which users can view logs from system namespaces, reducing the population of users who can extract the token.

Is this a known issue that was previously fixed?

Yes. This is a regression of TTA-2018-001, indicating that a similar vulnerability was previously resolved. This underscores the importance of comprehensive testing during refactoring or template changes.

This analysis is provided for informational purposes and should not be construed as legal or definitive security guidance. Verify all patch versions, CVSS scores, and affected products against official vendor advisories before making remediation decisions. Testing in a non-production environment is strongly recommended before applying patches to production clusters. SEC.co assumes no liability for reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-41185MEDIUM

    CVE-2026-41185: Calico Azure IPAM Plaintext Credential Logging Vulnerability

  • CVE-2026-40619HIGH

    CVE-2026-40619: Genetec Security Center Admin Credential Disclosure (Build-Based Vulnerability)

  • CVE-2018-25384MEDIUM

    CVE-2018-25384: Stored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts

  • CVE-2018-25387MEDIUM

    CVE-2018-25387: HaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset

  • CVE-2018-25393MEDIUM

    CVE-2018-25393: Navigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)

  • CVE-2018-25397MEDIUM

    CVE-2018-25397: CSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection

  • CVE-2018-25421MEDIUM

    CVE-2018-25421: Open STA Manager 2.3 Path Traversal File Download Vulnerability

  • CVE-2018-25423MEDIUM

    CVE-2018-25423: Buffer Overflow Denial of Service in Arm Whois 3.11