CVE-2026-44514

Summary

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. This is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability and affects both the desktop deployment (default http://localhost:7500) and cluster deployments (typically behind an Ingress with HTTP basic auth). This vulnerability is fixed in 0.14.0.

Affected Software

VendorProductVersion RangeStatus
kubetail-orgkubetail< 0.14.0affected
kubetail-orggithub.com/kubetail-org/kubetail/modules/cli< 0.16.0affected
kubetail-orggithub.com/kubetail-org/kubetail/modules/dashboard< 0.14.0affected

Weaknesses

  • CWE-1385: CWE-1385: Missing Origin Validation in WebSockets

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References