Home > Vulnerability Database > CVE-2026-25538

Mend.io Vulnerability Database

CVE-2026-25538

Good to know:

Date: February 4, 2026

Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.

Severity Score

8.8

Related Resources (5)

Url: https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25538

Url: https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f

Url: https://github.com/devtron-labs/devtron

Url: https://www.mend.io/vulnerability-database/CVE-2026-25538

Severity Score

8.8

Weakness Type (CWE)

Missing Authorization

CWE-862

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25538

Good to know:

Date: February 4, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?