Headlamp 0.38.0 (and earlier versions) contained a critical security vulnerability Headlamp 0.38.0 (and earlier versions) contained a critical security vulnerability related to credential reuse.

When the first user successfully authenticated with Headlamp, their Kubernetes API token was inadvertently cached by the server. This cached token was then reused for *all subsequent unauthenticated requests* to the Kubernetes API.

Effectively, any unauthenticated user could bypass authentication and gain the full privileges of the initial authenticated user. This allowed unauthorized access and potential privilege escalation within the Kubernetes cluster.

Users are strongly advised to upgrade to Headlamp version 0.39.0 or newer, which addresses and patches this vulnerability.

# CVE-2025-14269
A security issue was discovered in the in-cluster version of Headlamp where unauthenticated users may be able to reuse cached credentials to access Helm functionality through the Headlamp UI. Kubernetes clusters are only affected if Headlamp is installed, is configured with config.enableHelm: true, and an authorized user has previously accessed the Helm functionality.

# PoC

- Install Headlamp version <= v0.38.0
- Configured with `config.enableHelm: true`
- The logged in user must open the Helm page (`/clusters/main/helm/releases/list`), after which the response will be cached
- After this, an unauthorized user can also send a request to `/clusters/main/helm/releases/list` and receive a response with sensitive information, including keys, tokens, and passwords.
<img width="1414" height="393" alt="?????? ?????? 2025-12-17 ? 21 18 43" src="https://github.com/user-attachments/assets/ee8b8183-443f-4ed9-b429-8a5813e714a6" />