Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.
References
| Link | Resource |
|---|---|
| https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f | Patch |
| https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 | Exploit Vendor Advisory |
| https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 | Exploit Vendor Advisory |
Configurations
History
11 Feb 2026, 19:10
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:devtron:devtron:*:*:*:*:*:kubernetes:*:* | |
| References | () https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f - Patch | |
| References | () https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 - Exploit, Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| First Time |
Devtron
Devtron devtron |
05 Feb 2026, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 - |
04 Feb 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-04 22:15
Updated : 2026-02-11 19:10
NVD link : CVE-2026-25538
Mitre link : CVE-2026-25538
CVE.ORG link : CVE-2026-25538
JSON object : View
Products Affected
devtron
- devtron
CWE
CWE-862
Missing Authorization