CVE-2026-25538
📋 TL;DR
This vulnerability in Devtron allows any authenticated user, including low-privileged CI/CD developers, to retrieve the global API token signing key. With this key, attackers can forge JWT tokens for any user identity, gaining complete control over the Devtron platform and potentially accessing the underlying Kubernetes cluster. All Devtron installations up to version 2.0.0 are affected.
💻 Affected Systems
- Devtron
📦 What is this software?
Devtron by Devtron
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Devtron platform, lateral movement to Kubernetes clusters, privilege escalation to cluster-admin level, and potential compromise of all containerized workloads.
Likely Case
Attackers forge administrative JWT tokens to gain full control over Devtron, manipulate CI/CD pipelines, deploy malicious containers, and access sensitive deployment secrets.
If Mitigated
Limited to authenticated users only, but still enables privilege escalation from low-privileged to administrative access within Devtron.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The vulnerability is well-documented in the security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit d2b0d26
Vendor Advisory: https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2
Restart Required: Yes
Instructions:
1. Update Devtron to a version containing commit d2b0d26. 2. Restart all Devtron components. 3. Regenerate all API tokens as previous tokens may have been compromised.
🔧 Temporary Workarounds
Restrict API endpoint access
linuxImplement network-level restrictions to block access to the vulnerable /orchestrator/attributes endpoint
iptables -A INPUT -p tcp --dport [DEVRON_PORT] -m string --string "/orchestrator/attributes" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Devtron from production Kubernetes clusters
- Rotate all JWT signing keys and API tokens immediately, then implement monitoring for unauthorized token usage
🔍 How to Verify
Check if Vulnerable:
As an authenticated user, attempt to access /orchestrator/attributes?key=apiTokenSecret. If it returns the signing key, the system is vulnerable.Check Version:
Check Devtron version in the UI or via kubectl get deployment devtron -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
After patching, the same endpoint should return an error or empty response instead of the signing key.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /orchestrator/attributes endpoint
- Multiple failed JWT validations followed by successful ones
- User accounts accessing endpoints outside their normal privilege level
Network Indicators:
- HTTP GET requests to /orchestrator/attributes?key=apiTokenSecret
- Sudden increase in API token generation or usage
SIEM Query:
source="devtron-logs" AND (uri_path="/orchestrator/attributes" OR message="apiTokenSecret")