CVE-2026-42283
published 2026-05-14CVE-2026-42283: DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from…
PriorityP340high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.15%
4.8th percentile
DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspace-sh | devspace | < 6.3.21 | 6.3.21 |
| devspace | devspace | — | — |
| github.com | loft-sh_devspace | >= 6.3.20 < 6.3.21 | 6.3.21 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
devspace-sh devspace up to 6.3.20 UI Server WebSocket missing authentication (GHSA-hqwm-7x7x-8379)
vuldb·2026-05-14·CVSS 7.7
CVE-2026-42283 [HIGH] devspace-sh devspace up to 6.3.20 UI Server WebSocket missing authentication (GHSA-hqwm-7x7x-8379)
A vulnerability classified as critical was found in devspace-sh devspace up to 6.3.20. This vulnerability affects unknown code of the component UI Server WebSocket. Executing a manipulation can lead to missing authentication.
This vulnerability is handled as CVE-2026-42283. It is possible to launch the attack on the local host. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
DevSpace UI Server WebSocket CheckOrigin does not validate source
ghsa·2026-05-06
CVE-2026-42283 [HIGH] CWE-200 DevSpace UI Server WebSocket CheckOrigin does not validate source
DevSpace UI Server WebSocket CheckOrigin does not validate source
### Description
DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to `ws://127.0.0.1:8090`. This allows an attacker to access:
* `/api/logs` to stream real-time pod logs
* `/api/enter` to open an interactive shell inside the running pod
* `/api/command` to execute pre-defined pipeline commands
### Patches
Versions 6.3.21 and above are patched.
### Resources
[gorilla/websocket CheckOrigin documentation](https://pkg.go.dev/github.co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published