Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-55884

UNKNOWN NVD
CVSS Score 0
Severity UNKNOWN
Published Jul 10, 2026
Vendor unknown

Description

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.

References