| Description | Severity | Notes |
|---|---|---|
Calicoctl leaks cluster credentials to stderr when verbose logging is enabledReference: TTA-2026-003, CVE-2026-6720 Date published: May 27, 2026 |
High | N/A |
Summary
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl’s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
Severity
CVSSv4.0: 7.2 (High)
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
The attack requires the operator to have explicitly raised calicoctl’s log level to info or debug. Because realistic exposure surfaces are stderr destinations the operator typically does not control end-to-end (CI logs that may be public on open-source repos, third-party session recordings, support transcripts), severity is graded High despite the non-default trigger condition.
References
Weakness Enumeration
CWE-532: Insertion of Sensitive Information into Log File
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Impact
CAPEC-150: Collect Data from Common Resource Locations
Indicators of Impact/Compromise
- Stderr captures (CI logs, session recordings, support transcripts, local files) containing the literal string “Loaded client config:”. The disclosed fields include KubeconfigInline (full kubeconfig with bearer token), K8sAPIToken, EtcdPassword, EtcdKey, EtcdCert, and EtcdCACert.
- CI artifacts in shared, mirrored, or public repositories containing calicoctl invocations with
--log-level=infoor--log-level=debug. - Calico API or calicoctl requests authenticated using the leaked Kubernetes bearer token, etcd certificates, or etcd password from unexpected source IPs, runners, or workstations.
Workaround/Mitigation
Avoid invoking calicoctl with --log-level=info or --log-level=debug until upgraded; the default panic log level is unaffected. Rotate any cluster credentials (Kubernetes ServiceAccount tokens, etcd certificates and passwords) that may have been written to logs prior to upgrade.
Affected Releases
- Calico Open Source
- All versions prior to v3.32.0
- Calico Enterprise
- All versions prior to v3.21.7
- Prior to v3.22.3 on the v3.22 line
- Calico Cloud
- All versions prior to v22.4.0
Trigger condition: calicoctl invoked with --log-level=info or --log-level=debug. The default panic log level is not affected.
Fixed Versions
- Calico Open Source
- v3.32.0 and later
- Calico Enterprise
- v3.21.7 and later on the v3.21 line
- v3.22.3 and later on the v3.22 line
- Calico Cloud
- v22.4.0 and later
Acknowledgments
We would like to thank the following individuals:
- Behnam Shobiri — Finder and Remediation Developer
- Anthony Tam — Remediation Reviewer
