CVE-2026-42283: DevSpace UI WebSocket Exposes Developer Endpoints
The National Vulnerability Database reports CVE-2026-42283, a high-severity vulnerability (CVSS 7.7) affecting DevSpace, a client-only developer tool for Kubernetes. Prior to version 6.3.21, DevSpace’s UI server WebSocket accepted connections from all origins by default. This design flaw meant several critical endpoints were exposed via the WebSocket.
This vulnerability presents a clear attack path: if a developer is running the DevSpace UI and simultaneously browsing the internet, a malicious website can establish a cross-origin WebSocket connection to ws://127.0.0.1:8090 on their local machine. This allows the attacker to interact with the exposed DevSpace UI endpoints, potentially leading to significant compromise of the developer’s environment. The National Vulnerability Database identifies the root causes as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-306 (Missing Authentication for Critical Function).
Defenders must recognize the implications for developer workstations. This isn’t just a theoretical flaw; it’s a direct browser-based attack vector that bypasses traditional network perimeter controls. The fix is available in DevSpace version 6.3.21, and immediate patching is non-negotiable for any organization using the tool.
What This Means For You
- If your development teams use DevSpace, you need to ensure all installations are updated to version 6.3.21 or later immediately. This vulnerability allows malicious websites to directly interact with DevSpace UI endpoints on a developer's machine, potentially compromising sensitive development environments. Audit developer workstations for unpatched DevSpace instances and enforce update policies.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42283: DevSpace UI WebSocket Connection to Localhost
title: CVE-2026-42283: DevSpace UI WebSocket Connection to Localhost
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects a WebSocket connection originating from localhost to the default DevSpace UI port (8090). This is indicative of a malicious website attempting to exploit CVE-2026-42283 by leveraging the browser to connect to the vulnerable DevSpace UI WebSocket endpoint.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42283/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
src_ip:
- '127.0.0.1'
dst_port:
- '8090'
cs-uri|contains:
- '/ws'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42283 | CSRF | DevSpace UI server WebSocket accepts connections from all origins by default |
| CVE-2026-42283 | Misconfiguration | DevSpace prior to version 6.3.21 |
| CVE-2026-42283 | Information Disclosure | Several endpoints exposed via WebSocket at ws://127.0.0.1:8090 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Diffusers RCE: Hugging Face Pipeline Loading Bypasses `trust_remote_code`
CVE-2026-44827 — Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when...
CVE-2026-44516: Valtimo Logs Sensitive Data Regardless of Debug Settings
CVE-2026-44516 — Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all...
CVE-2026-44514 — Both The Desktop Deployment (Default Http://Localhost:7500) Vulnerability
CVE-2026-44514 — Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin...