Cyber Resilience

CVE-2026-42283

HighUpdated

Published: 14 May 2026

Published
14 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0001 0.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42283 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Devspace Devspace. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace…

more

UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Missing WebSocket origin validation enables drive-by exploitation from malicious sites via browser, directly matching T1189.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-9929Shared CWE-200
CVE-2026-9955Shared CWE-200
CVE-2026-34472Shared CWE-200, CWE-306
CVE-2026-9981Shared CWE-200
CVE-2025-67805Shared CWE-200, CWE-306
CVE-2026-30846Shared CWE-200, CWE-306
CVE-2026-39363Shared CWE-200, CWE-306
CVE-2026-9912Shared CWE-200
CVE-2026-45332Shared CWE-200, CWE-306
CVE-2026-28458Shared CWE-306

Affected Assets

devspace
devspace
6.3.20

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-306

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

addresses: CWE-200 CWE-306

Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.

addresses: CWE-200 CWE-306

Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.

addresses: CWE-306 CWE-200

Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.

addresses: CWE-306 CWE-200

Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.

addresses: CWE-306 CWE-200

Requires authentication gates on critical functions that must remain unavailable to anonymous public users.

addresses: CWE-306 CWE-200

Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.

addresses: CWE-200 CWE-306

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

References