Main Vulnerability Database Vulnerabilities #VU129725

Missing Authentication for Critical Function in DevSpace - CVE-2026-42283

Published: May 5, 2026

Vulnerability identifier: #VU129725

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-42283

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
DevSpace

Software vendor:
devspace.cloud

Description

The vulnerability allows a remote attacker to access sensitive information and execute commands in running pods.

The vulnerability exists due to improper access control in the DevSpace UI server WebSocket when accepting cross-origin WebSocket connections from a malicious website to ws://127.0.0.1:8090. A remote attacker can trick the victim into visiting a malicious website to access sensitive information and execute commands in running pods.

User interaction is required while the DevSpace UI is running and the victim is browsing the internet.

Remediation

Install security update from vendor's website.

External links

https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379

Missing Authentication for Critical Function in DevSpace - CVE-2026-42283

Description

Remediation

External links

Please verify you're human