Security Bulletins

Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

Description Severity Notes

Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

Reference: TTA-2026-003, CVE-2026-6720

Date published: May 27, 2026

High N/A

Summary

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl’s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

Severity

CVSSv4.0: 7.2 (High)

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

The attack requires the operator to have explicitly raised calicoctl’s log level to info or debug. Because realistic exposure surfaces are stderr destinations the operator typically does not control end-to-end (CI logs that may be public on open-source repos, third-party session recordings, support transcripts), severity is graded High despite the non-default trigger condition.

References

Weakness Enumeration

CWE-532: Insertion of Sensitive Information into Log File

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Impact

CAPEC-150: Collect Data from Common Resource Locations

Indicators of Impact/Compromise

  • Stderr captures (CI logs, session recordings, support transcripts, local files) containing the literal string “Loaded client config:”. The disclosed fields include KubeconfigInline (full kubeconfig with bearer token), K8sAPIToken, EtcdPassword, EtcdKey, EtcdCert, and EtcdCACert.
  • CI artifacts in shared, mirrored, or public repositories containing calicoctl invocations with --log-level=info or --log-level=debug.
  • Calico API or calicoctl requests authenticated using the leaked Kubernetes bearer token, etcd certificates, or etcd password from unexpected source IPs, runners, or workstations.

Workaround/Mitigation

Avoid invoking calicoctl with --log-level=info or --log-level=debug until upgraded; the default panic log level is unaffected. Rotate any cluster credentials (Kubernetes ServiceAccount tokens, etcd certificates and passwords) that may have been written to logs prior to upgrade.

Affected Releases

  • Calico Open Source
    • All versions prior to v3.32.0
  • Calico Enterprise
    • All versions prior to v3.21.7
    • Prior to v3.22.3 on the v3.22 line
  • Calico Cloud
    • All versions prior to v22.4.0

Trigger condition: calicoctl invoked with --log-level=info or --log-level=debug. The default panic log level is not affected.

Fixed Versions

  • Calico Open Source
    • v3.32.0 and later
  • Calico Enterprise
    • v3.21.7 and later on the v3.21 line
    • v3.22.3 and later on the v3.22 line
  • Calico Cloud
    • v22.4.0 and later

Acknowledgments

We would like to thank the following individuals:

  • Behnam Shobiri — Finder and Remediation Developer
  • Anthony Tam — Remediation Reviewer
Return to List
X