CVE-2026-25538: Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage

February 4, 2026 (updated February 5, 2026)

This vulnerability exists in Devtron’s Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster.

CWE Classification: CWE-862 (Missing Authorization)

References

github.com/advisories/GHSA-8wpc-j9q9-j5m2
github.com/devtron-labs/devtron
github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f
github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2
nvd.nist.gov/vuln/detail/CVE-2026-25538

Code Behaviors & Features

Detect and mitigate CVE-2026-25538 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →