CVE-2026-42283
DevSpace UI Server WebSocket CheckOrigin does not validate source
Description
### Description DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to `ws://127.0.0.1:8090`. This allows an attacker to access: * `/api/logs` to stream real-time pod logs * `/api/enter` to open an interactive shell inside the running pod * `/api/command` to execute pre-defined pipeline commands ### Patches Versions 6.3.21 and above are patched. ### Resources [gorilla/websocket CheckOrigin documentation](https://pkg.go.dev/github.com/gorilla/websocket#hdr-Origin_Considerations) ### Installation Options Devspace is no longer publishing to NPM or Yarn, please continue to use our [other installation methods](https://www.devspace.sh/docs/getting-started/installation) to get updates in the future, including this patch. ### Credit DevSpace thanks @b0b0haha for finding and reporting this vulnerability.
How to fix CVE-2026-42283
To remediate CVE-2026-42283, upgrade the affected package to a fixed version below.
- —upgrade to 6.3.21 or later
Is CVE-2026-42283 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 6.3.20, < 6.3.21
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |