{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6720","assignerOrgId":"e6d453f4-3dae-4941-bcea-9af25f4e824d","state":"PUBLISHED","assignerShortName":"Tigera","dateReserved":"2026-04-20T19:31:31.065Z","datePublished":"2026-05-28T15:47:42.519Z","dateUpdated":"2026-05-28T17:04:11.659Z"},"containers":{"cna":{"providerMetadata":{"orgId":"e6d453f4-3dae-4941-bcea-9af25f4e824d","shortName":"Tigera","dateUpdated":"2026-05-28T15:47:42.519Z"},"title":"Calicoctl leaks cluster credentials to stderr when verbose logging is enabled","datePublic":"2026-05-28T16:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-532","description":"CWE-532","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-150","descriptions":[{"lang":"en","value":"CAPEC-150 Collect Data from Common Resource Locations"}]}],"affected":[{"vendor":"Tigera","product":"Calico","versions":[{"status":"affected","version":"0","lessThan":"3.32.0","versionType":"semver"}],"defaultStatus":"affected"},{"vendor":"Tigera","product":"Calico Enterprise","versions":[{"status":"affected","version":"0","lessThan":"3.21.7","versionType":"semver"},{"status":"unaffected","version":"3.22.3","versionType":"semver"}],"defaultStatus":"affected"},{"vendor":"Tigera","product":"Calico Cloud","versions":[{"status":"affected","version":"0","lessThan":"22.4.0","versionType":"semver"}],"defaultStatus":"affected"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*","versionStartIncluding":"0","versionEndExcluding":"3.32.0"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*","versionStartIncluding":"0","versionEndExcluding":"3.21.7"},{"vulnerable":false,"criteria":"cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*","versionStartIncluding":"0","versionEndExcluding":"22.4.0"}]}]}],"descriptions":[{"lang":"en","value":"When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.","supportingMedia":[{"type":"text/html","base64":false,"value":"<span>When </span><span>calicoctl</span><span> is invoked with </span><span>--log-level=info</span><span> or </span><span>--log-level=debug</span><span>, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential </span><span>calicoctl</span><span> uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran </span><span>calicoctl</span><span> — can extract these credentials with zero Kubernetes privilege. </span><span>calicoctl</span><span>'s default log level is </span><span>panic</span><span>, so this issue only triggers when verbose logging is explicitly enabled.</span>"}]}],"references":[{"url":"https://github.com/projectcalico/calico/pull/12535","tags":["patch"]},{"url":"https://github.com/projectcalico/calico/pull/12536","tags":["patch"]},{"url":"https://github.com/projectcalico/calico/pull/12537","tags":["patch"]},{"url":"https://www.tigera.io/security-bulletins/tta-2026-003/","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":7.2,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"}}],"credits":[{"lang":"en","value":"Behnam Shobiri","type":"finder"},{"lang":"en","value":"Behnam Shobiri","type":"remediation developer"},{"lang":"en","value":"Anthony Tam","type":"remediation verifier"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-28T17:04:05.727153Z","id":"CVE-2026-6720","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-28T17:04:11.659Z"}}]}}