{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6720", "assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d", "state": "PUBLISHED", "assignerShortName": "Tigera", "dateReserved": "2026-04-20T19:31:31.065Z", "datePublished": "2026-05-28T15:47:42.519Z", "dateUpdated": "2026-05-28T17:04:11.659Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d", "shortName": "Tigera", "dateUpdated": "2026-05-28T15:47:42.519Z"}, "title": "Calicoctl leaks cluster credentials to stderr when verbose logging is enabled", "datePublic": "2026-05-28T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-532", "description": "CWE-532", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-150", "descriptions": [{"lang": "en", "value": "CAPEC-150 Collect Data from Common Resource Locations"}]}], "affected": [{"vendor": "Tigera", "product": "Calico", "versions": [{"status": "affected", "version": "0", "lessThan": "3.32.0", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Tigera", "product": "Calico Enterprise", "versions": [{"status": "affected", "version": "0", "lessThan": "3.21.7", "versionType": "semver"}, {"status": "unaffected", "version": "3.22.3", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Tigera", "product": "Calico Cloud", "versions": [{"status": "affected", "version": "0", "lessThan": "22.4.0", "versionType": "semver"}], "defaultStatus": "affected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "3.32.0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "3.21.7"}, {"vulnerable": false, "criteria": "cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "22.4.0"}]}]}], "descriptions": [{"lang": "en", "value": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>When </span><span>calicoctl</span><span> is invoked with </span><span>--log-level=info</span><span> or </span><span>--log-level=debug</span><span>, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential </span><span>calicoctl</span><span> uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran </span><span>calicoctl</span><span> \u2014 can extract these credentials with zero Kubernetes privilege. </span><span>calicoctl</span><span>'s default log level is </span><span>panic</span><span>, so this issue only triggers when verbose logging is explicitly enabled.</span>"}]}], "references": [{"url": "https://github.com/projectcalico/calico/pull/12535", "tags": ["patch"]}, {"url": "https://github.com/projectcalico/calico/pull/12536", "tags": ["patch"]}, {"url": "https://github.com/projectcalico/calico/pull/12537", "tags": ["patch"]}, {"url": "https://www.tigera.io/security-bulletins/tta-2026-003/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Behnam Shobiri", "type": "finder"}, {"lang": "en", "value": "Behnam Shobiri", "type": "remediation developer"}, {"lang": "en", "value": "Anthony Tam", "type": "remediation verifier"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-28T17:04:05.727153Z", "id": "CVE-2026-6720", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T17:04:11.659Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-28T17:04:05.727153Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T17:04:08.496Z"}}], "cna": {"title": "Calicoctl leaks cluster credentials to stderr when verbose logging is enabled", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Behnam Shobiri"}, {"lang": "en", "type": "remediation developer", "value": "Behnam Shobiri"}, {"lang": "en", "type": "remediation verifier", "value": "Anthony Tam"}], "impacts": [{"capecId": "CAPEC-150", "descriptions": [{"lang": "en", "value": "CAPEC-150 Collect Data from Common Resource Locations"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tigera", "product": "Calico", "versions": [{"status": "affected", "version": "0", "lessThan": "3.32.0", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Tigera", "product": "Calico Enterprise", "versions": [{"status": "affected", "version": "0", "lessThan": "3.21.7", "versionType": "semver"}, {"status": "unaffected", "version": "3.22.3", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Tigera", "product": "Calico Cloud", "versions": [{"status": "affected", "version": "0", "lessThan": "22.4.0", "versionType": "semver"}], "defaultStatus": "affected"}], "datePublic": "2026-05-28T16:00:00.000Z", "references": [{"url": "https://github.com/projectcalico/calico/pull/12535", "tags": ["patch"]}, {"url": "https://github.com/projectcalico/calico/pull/12536", "tags": ["patch"]}, {"url": "https://github.com/projectcalico/calico/pull/12537", "tags": ["patch"]}, {"url": "https://www.tigera.io/security-bulletins/tta-2026-003/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.", "supportingMedia": [{"type": "text/html", "value": "<span>When </span><span>calicoctl</span><span> is invoked with </span><span>--log-level=info</span><span> or </span><span>--log-level=debug</span><span>, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential </span><span>calicoctl</span><span> uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran </span><span>calicoctl</span><span> \u2014 can extract these credentials with zero Kubernetes privilege. </span><span>calicoctl</span><span>'s default log level is </span><span>panic</span><span>, so this issue only triggers when verbose logging is explicitly enabled.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.32.0", "versionStartIncluding": "0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.21.7", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "22.4.0", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d", "shortName": "Tigera", "dateUpdated": "2026-05-28T15:47:42.519Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6720", "state": "PUBLISHED", "dateUpdated": "2026-05-28T17:04:11.659Z", "dateReserved": "2026-04-20T19:31:31.065Z", "assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d", "datePublished": "2026-05-28T15:47:42.519Z", "assignerShortName": "Tigera"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled."}], "id": "CVE-2026-6720", "lastModified": "2026-05-29T15:39:34.620", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt@tigera.io", "type": "Secondary"}]}, "published": "2026-05-28T17:16:33.490", "references": [{"source": "psirt@tigera.io", "url": "https://github.com/projectcalico/calico/pull/12535"}, {"source": "psirt@tigera.io", "url": "https://github.com/projectcalico/calico/pull/12536"}, {"source": "psirt@tigera.io", "url": "https://github.com/projectcalico/calico/pull/12537"}, {"source": "psirt@tigera.io", "url": "https://www.tigera.io/security-bulletins/tta-2026-003/"}], "sourceIdentifier": "psirt@tigera.io", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "psirt@tigera.io", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.32.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Calico", "source": "cna", "vendor": "Tigera"}, "product": "calico", "vendor": "tigera"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,22.4.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Calico Cloud", "source": "cna", "vendor": "Tigera"}, "product": "calico_cloud", "vendor": "tigera"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.21.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.22.3"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Calico Enterprise", "source": "cna", "vendor": "Tigera"}, "product": "calico_enterprise", "vendor": "tigera"}], "created": "2026-05-28T18:45:23.960878+00:00", "updated": "2026-05-28T19:45:25.029866+00:00", "vendors": ["tigera", "tigera$PRODUCT$calico", "tigera$PRODUCT$calico_cloud", "tigera$PRODUCT$calico_enterprise"], "weaknesses": ["CWE-532"]}