CVE-2026-55883
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
Description
## Summary The Tilt HUD WebSocket (`/ws/view`) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an `Origin` header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state. ## Details The upgrader accepts a connection when the `csrf` query parameter matches a process-wide token (`websocketCSRFToken`). That token is served as `text/plain` by an unauthenticated handler (`WebsocketToken`, mounted at `/api/websocket_token`), so any reachable caller can fetch it and connect to `/ws/view?csrf=<token>`. When the parameter does not match, the upgrader falls back to a same-origin check that returns true when the `Origin` header is absent, so a non-browser client that omits `Origin` is accepted anyway. The token has no per-session binding. ## Impact An attacker who can reach the HUD listener can open the HUD WebSocket and receive the full view stream — session state, Tiltfile contents, resource statuses, and continued updates — defeating the intended anti-CSWSH protection. ### Conditions for exploitation - Affected version in `>= 0.24.0, <= 0.37.3`. - HUD bound to a non-loopback address (`tilt up --host 0.0.0.0`, or `TILT_HOST` set). - Network reachability to the listener (default port `10350`). ### Not affected - The default loopback-only bind is not reachable from the network. ## Workarounds Use the default loopback bind (omit `--host`, unset `TILT_HOST`). No complete workaround short of upgrading for non-loopback deployments.
How to fix CVE-2026-55883
To remediate CVE-2026-55883, upgrade the affected package to a fixed version below.
- —upgrade to 0.37.4 or later
Is CVE-2026-55883 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-55883.
Affected packages (1)
- >= 0.24.0, < 0.37.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |