CVE-2026-6720 HIGH

CVE-2026-6720: Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

Vendor Tigera
Product Calico
Weakness CWE-532 · Sensitive info in logs
Published May 28, 2026
Last update May 28, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated