Information disclosure in Tigera Calico

CVE-2026-6720

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to ta…

EPSS: 0.000 (8.3th percentile) — read the EPSS interpretation.

Affected products

Tigera Calico — versions 0
Tigera Calico Cloud — versions 0
Tigera Calico Enterprise — versions 0, 3.22.3

Weakness classification (CWE)

CWE-532 — Insertion of Sensitive Information into Log File

References

psirt@tigera.io (patch)
psirt@tigera.io (patch)
psirt@tigera.io (patch)
psirt@tigera.io (vendor-advisory)