CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55883: Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is

unknownCVE-2026-55883
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.

Details

Source
NVD Recent CVEs (US · database · site)
Severity
unknown
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-55883

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55883coverage & exploitation statusNVD · CVE.org

Recent advisories for Tilt defines dev

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NVD Recent CVEs