CVE-2026-42283

7.7 HIGH

DevSpace is a client-only developer tool for cloud-native development with Kubernetes

Published: 2026-05-14 · Last updated: 2026-05-21

Severity and scoring

CVSS: 7.7 HIGH
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-200, CWE-306

Affected products

Vendor	Product
devspace	devspace

Description

DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42283
[Vendor advisory]https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379

Related CVEs

Same CWE

CVE-2026-12117 — Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to ...
CVE-2026-0647 — An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server
CVE-2026-12320 — Information disclosure in the Password Manager component (4.3 MEDIUM)
CVE-2026-12311 — Information disclosure, sandbox escape in the Security: Process Sandboxing component (4.7 MEDIUM)
CVE-2026-50870 — An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensi... (7.5 HIGH)