CVE-2026-25538
Published: 04 February 2026
Summary
CVE-2026-25538 is a high-severity Missing Authorization (CWE-862) vulnerability in Devtron Devtron. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the Attributes API endpoint to prevent any authenticated user from retrieving the sensitive API token signing key.
Restricts privileges so low-privileged users like CI/CD Developers cannot access endpoints exposing the global API token signing key.
Generates audit records for access to the /orchestrator/attributes endpoint, enabling detection of unauthorized queries for the API token signing key.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on Attributes API directly exposes JWT signing key (T1552), enabling offline forgery of arbitrary user tokens for impersonation (T1550.001) and subsequent privilege escalation to full Devtron/K8s control (T1068).
NVD Description
Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by…
more
accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.
Deeper analysisAI
CVE-2026-25538 affects Devtron, an open source tool integration platform for Kubernetes, specifically in versions 2.0.0 and prior. The vulnerability resides in Devtron's Attributes API interface, where the endpoint /orchestrator/attributes?key=apiTokenSecret exposes the global API Token signing key to any authenticated user. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low privileges.
Any authenticated user, including low-privileged roles such as CI/CD Developers, can exploit this vulnerability by simply querying the exposed endpoint to retrieve the signing key. With the key in hand, attackers can offline forge JWT tokens impersonating arbitrary user identities, achieving complete control over the Devtron platform. This escalation enables lateral movement to the underlying Kubernetes cluster, potentially compromising workloads, secrets, and resources managed by Devtron.
The issue has been addressed in a patch via GitHub commit d2b0d260d858ab1354b73a8f50f7f078ca62706f. Security practitioners should upgrade to a patched version of Devtron and review access logs for suspicious queries to the Attributes API endpoint, as detailed in the GitHub Security Advisory GHSA-8wpc-j9q9-j5m2.
Details
- CWE(s)