CVE-2026-44514

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-44514

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44514.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-44514

Aliases

GHSA-v8j7-hp7c-738f

Published

2026-05-14T16:20:11.743Z

Modified

2026-05-18T06:00:27.355044381Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Kubetail: Cross-Site WebSocket Hijacking allows attacker to read Kubernetes logs from authenticated users

Details

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. This is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability and affects both the desktop deployment (default http://localhost:7500) and cluster deployments (typically behind an Ingress with HTTP basic auth). This vulnerability is fixed in 0.14.0.

Database specific

{
    "cwe_ids": [
        "CWE-1385"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44514.json"
}

References

Affected packages

Git / github.com/kubetail-org/kubetail

Affected ranges

Type

GIT

Repo

https://github.com/kubetail-org/kubetail

Events

Introduced

Fixed

f01248e5eb05917e36988fa5b51f1048aa57e2bc

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.14.0"
        },
        {
            "fixed": "0.16.0"
        }
    ]
}

Affected versions

0.*

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.3.0

0.3.1

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.6.0

0.6.1

0.6.2

0.6.3

0.7.0

0.7.1

0.7.2

0.8.0-rc2

agent/v0.*

agent/v0.9.0

agent/v0.9.0-rc1

cli/v0.*

cli/v0.0.1

cli/v0.0.2

cli/v0.0.3

cli/v0.0.4

cli/v0.0.5

cli/v0.0.6

cli/v0.0.7

cli/v0.0.8

cli/v0.0.8-rc1

cli/v0.0.8-rc2

cli/v0.0.9

cli/v0.1.0

cli/v0.1.1

cli/v0.1.2

cli/v0.1.3

cli/v0.1.4

cli/v0.1.5

cli/v0.10.0

cli/v0.10.1

cli/v0.11.0

cli/v0.11.1

cli/v0.12.0

cli/v0.12.1

cli/v0.12.2

cli/v0.13.0

cli/v0.14.0

cli/v0.14.1

cli/v0.15.0

cli/v0.2.0

cli/v0.2.1

cli/v0.2.2

cli/v0.2.3

cli/v0.3.0

cli/v0.3.1

cli/v0.3.2

cli/v0.3.3

cli/v0.4.0

cli/v0.4.1

cli/v0.4.2

cli/v0.4.3

cli/v0.4.4

cli/v0.4.5

cli/v0.5.0

cli/v0.5.1

cli/v0.5.1-rc2

cli/v0.5.2

cli/v0.5.3

cli/v0.6.0

cli/v0.7.0

cli/v0.7.1

cli/v0.7.2-rc1

cli/v0.7.2-rc2

cli/v0.7.2-rc3

cli/v0.7.3

cli/v0.7.3-rc4

cli/v0.7.3-rc5

cli/v0.7.4

cli/v0.7.5

cli/v0.8.0

cli/v0.8.1

cli/v0.8.2

cli/v0.9.0

cluster-agent/v0.*

cluster-agent/v0.1.0

cluster-agent/v0.1.0-rc1

cluster-agent/v0.1.1

cluster-agent/v0.1.2

cluster-agent/v0.1.3

cluster-agent/v0.1.4

cluster-agent/v0.1.5

cluster-agent/v0.2.0

cluster-agent/v0.2.1

cluster-agent/v0.2.1-rc1

cluster-agent/v0.2.2

cluster-agent/v0.2.2-rc1

cluster-agent/v0.3.0

cluster-agent/v0.3.0-rc1

cluster-agent/v0.4.0

cluster-agent/v0.4.1

cluster-agent/v0.4.2

cluster-agent/v0.4.2-rc1

cluster-agent/v0.4.2-rc2

cluster-agent/v0.4.2-rc3

cluster-agent/v0.4.2-rc4

cluster-agent/v0.5.0

cluster-agent/v0.5.0-rc1

cluster-agent/v0.5.0-rc2

cluster-agent/v0.5.0-rc3

cluster-agent/v0.5.1

cluster-agent/v0.5.2

cluster-agent/v0.6.0

cluster-agent/v0.6.1

cluster-agent/v0.6.2

cluster-api/v0.*

cluster-api/v0.1.0

cluster-api/v0.1.0-rc1

cluster-api/v0.1.1

cluster-api/v0.1.2

cluster-api/v0.1.3

cluster-api/v0.1.4

cluster-api/v0.1.5

cluster-api/v0.2.0

cluster-api/v0.2.1

cluster-api/v0.2.2

cluster-api/v0.2.2-rc1

cluster-api/v0.2.3

cluster-api/v0.2.3-rc1

cluster-api/v0.2.4

cluster-api/v0.2.4-rc1

cluster-api/v0.3.0

cluster-api/v0.3.0-rc1

cluster-api/v0.4.0

cluster-api/v0.4.1

cluster-api/v0.4.2

cluster-api/v0.4.2-rc1

cluster-api/v0.4.2-rc2

cluster-api/v0.4.2-rc3

cluster-api/v0.4.2-rc4

cluster-api/v0.4.3

cluster-api/v0.4.3-rc2

cluster-api/v0.4.4

cluster-api/v0.4.5

cluster-api/v0.4.6

cluster-api/v0.5.0

cluster-api/v0.5.1

cluster-api/v0.5.2

cluster-api/v0.5.3

cluster-api/v0.5.4

cluster-api/v0.5.5

cluster-api/v0.5.6

cluster-api/v0.6.0

dashboard/v0.*

dashboard/v0.1.0

dashboard/v0.1.0-rc1

dashboard/v0.1.0-rc2

dashboard/v0.1.0-rc3

dashboard/v0.1.1

dashboard/v0.1.2

dashboard/v0.1.3

dashboard/v0.1.4

dashboard/v0.1.5

dashboard/v0.1.6

dashboard/v0.1.7

dashboard/v0.1.8

dashboard/v0.1.9

dashboard/v0.10.0

dashboard/v0.10.1

dashboard/v0.10.1-rc1

dashboard/v0.10.2

dashboard/v0.11.0

dashboard/v0.12.0

dashboard/v0.12.1

dashboard/v0.13.0

dashboard/v0.2.0

dashboard/v0.2.1

dashboard/v0.2.2

dashboard/v0.2.3

dashboard/v0.3.0

dashboard/v0.3.1

dashboard/v0.4.0

dashboard/v0.4.1

dashboard/v0.4.2

dashboard/v0.4.3

dashboard/v0.4.3-rc1

dashboard/v0.4.4

dashboard/v0.4.4-rc1

dashboard/v0.4.5

dashboard/v0.5.0

dashboard/v0.5.0-rc1

dashboard/v0.6.0

dashboard/v0.6.1

dashboard/v0.6.2

dashboard/v0.6.3

dashboard/v0.6.3-rc1

dashboard/v0.6.3-rc2

dashboard/v0.6.3-rc3

dashboard/v0.6.3-rc4

dashboard/v0.6.4

dashboard/v0.7.0

dashboard/v0.7.1

dashboard/v0.7.2

dashboard/v0.7.3

dashboard/v0.7.3-rc1

dashboard/v0.7.4

dashboard/v0.8.0

dashboard/v0.8.1

dashboard/v0.8.2

dashboard/v0.8.3

dashboard/v0.8.4

dashboard/v0.8.4-rc1

dashboard/v0.9.0

dashboard/v0.9.1

server/v0.*

server/v0.10.0-rc1

server/v0.9.0

server/v0.9.0-rc1

server/v0.9.1

server/v0.9.2

server/v0.9.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44514.json"