Description

Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.

INFO

Published Date :

2026-02-04T21:37:04.483Z

Last Modified :

2026-02-05T18:37:58.750Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25538 vulnerability.

Vendors Products
Devtron
  • Devtron
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25538.

URL Resource
https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f cve-icon cve-icon
https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact