Main Vulnerability Database SB2026050555

SB2026050555 - Missing Authentication for Critical Function in DevSpace

Published: May 5, 2026

Security Bulletin ID SB2026050555

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-42283)

The vulnerability allows a remote attacker to access sensitive information and execute commands in running pods.

The vulnerability exists due to improper access control in the DevSpace UI server WebSocket when accepting cross-origin WebSocket connections from a malicious website to ws://127.0.0.1:8090. A remote attacker can trick the victim into visiting a malicious website to access sensitive information and execute commands in running pods.

User interaction is required while the DevSpace UI is running and the victim is browsing the internet.

Remediation

Install update from vendor's website.

References

https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379