How is CVE-2026-6720 exploited?

Network reachability (required): The attacker must be able to reach the host or system over the network (or have access to networked log stores such as CI pipelines, support systems, or session archives) to read the credential-bearing stderr output. Authentication (required): A low-privilege account is sufficient; the attacker needs only enough access to invoke calicoctl with verbose flags or to read the stderr stream from a session that did so. Victim interaction (required): An operator or CI process must explicitly invoke calicoctl with --log-level=info or --log-level=debug for the credentials to be emitted; the default log level (panic) does not trigger the leak. Attack complexity (info): The CVSS vector includes AT:P (attack requirements present), meaning specific preconditions such as verbose logging being enabled must exist, but once those conditions are met no race condition or memory-layout manipulation is required and the exploit is straightforward.

What is the impact of CVE-2026-6720?

An attacker who reads the leaked stderr output extracts bearer tokens granting direct authenticated access to the Kubernetes API without needing any in-cluster privilege. Etcd passwords and inline PEM-encoded client certificates and keys are exposed, allowing the attacker to authenticate directly to the etcd datastore and read or modify all cluster state. With access to cluster and etcd credentials, the attacker can create, modify, or delete Kubernetes resources across the cluster, affecting workloads and configuration in the cluster scope (SC:H, SI:H). Compromise of etcd or API credentials can affect availability of dependent cluster services (SA:H), enabling the attacker to disrupt cluster operation by altering critical control-plane data.

Back to search

HIGHCVE-2026-6720Published 2026-05-28Modified 2026-05-28CNA Tigera

CVE-2026-6720: Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An information-disclosure bug in calicoctl (Tigera Calico, Calico Enterprise, and Calico Cloud) causes the tool to print full cluster credentials to stderr when verbose logging is enabled via --log-level=info or --log-level=debug. The vulnerability is reachable by a low-privileged user who can invoke calicoctl with verbose flags and read the resulting stderr output, whether from CI logs, support transcripts, or local files. Successful exploitation exposes bearer tokens, etcd passwords, and PEM-encoded client certificates and keys, giving an attacker the material needed to authenticate directly to the Kubernetes API or etcd. Patched-image rebuilds at versions 3.21.7, 3.22.3, 3.32.0, and 22.4.0 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-6720 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and active pipelines, including custom-built images that bundle calicoctl. No manual scan trigger is needed; the match runs automatically on each ingest cycle.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.2 HIGH and weighting it against each environment's compliance policy, surfacing it at the appropriate severity tier. Triage routing is available to direct the finding to the correct team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Patched-image rebuilds at the fix versions (3.21.7, 3.22.3, 3.32.0, and 22.4.0) become available in HarborGuard as soon as the upstream packages are published. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the host or system over the network (or have access to networked log stores such as CI pipelines, support systems, or session archives) to read the credential-bearing stderr output.
AuthenticationRequired
A low-privilege account is sufficient; the attacker needs only enough access to invoke calicoctl with verbose flags or to read the stderr stream from a session that did so.
Victim interactionRequired
An operator or CI process must explicitly invoke calicoctl with --log-level=info or --log-level=debug for the credentials to be emitted; the default log level (panic) does not trigger the leak.
Attack complexityDetail
The CVSS vector includes AT:P (attack requirements present), meaning specific preconditions such as verbose logging being enabled must exist, but once those conditions are met no race condition or memory-layout manipulation is required and the exploit is straightforward.

Blast Radius

An attacker who reads the leaked stderr output extracts bearer tokens granting direct authenticated access to the Kubernetes API without needing any in-cluster privilege.
Etcd passwords and inline PEM-encoded client certificates and keys are exposed, allowing the attacker to authenticate directly to the etcd datastore and read or modify all cluster state.
With access to cluster and etcd credentials, the attacker can create, modify, or delete Kubernetes resources across the cluster, affecting workloads and configuration in the cluster scope (SC:H, SI:H).
Compromise of etcd or API credentials can affect availability of dependent cluster services (SA:H), enabling the attacker to disrupt cluster operation by altering critical control-plane data.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-6720 is active across customer environments with no configuration required. For environments running an affected version of Calico, Calico Enterprise, or Calico Cloud, patched-image rebuilds at versions 3.21.7, 3.22.3, 3.32.0, and 22.4.0 are available. Where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at the patched version, execute a regression test run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Regardless of patch status, teams should audit CI and pipeline log retention policies to ensure verbose calicoctl output is not persisted in shared or world-readable storage, rotate any bearer tokens and etcd credentials that may have been emitted under verbose logging, and restrict --log-level=info/debug invocations to isolated environments with restricted log access until the patched version is deployed.

See how HarborGuard automates this

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: 3.21.7
Affected Products: 3

Fix available

3.21.73.22.33.32.022.4.0

Patch commits

Affected packages

Tigera / Calico
< 3.32.0 (from 0)
Tigera / Calico Enterprise
< 3.21.7 (from 0)
Fixed in 3.22.3
Tigera / Calico Cloud
< 22.4.0 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available