CVE-2026-55884

CRITICALPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Tilt: Missing authentication on the network-exposed Tilt HUD server

Summary

The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer's pre-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state including the session token, and reach the Tilt apiserver through a token-attaching proxy.

Details

The HUD server registers its handlers on a gorilla/mux router with no authenticating middleware. The cookieWrapper helper emits the Tilt-Token cookie but never validates it, and is attached only to the static-asset prefix.

Impact

An unauthenticated network caller can force any developer-defined resource to run on the host as the tilt user (choosing which and when, not the command text), set arbitrary Tiltfile arguments, disclose the session token and full engine state, and invoke apiserver resources via the loopback-token proxy. Because tilt up runs with the developer's privileges and credentials, the impact reaches the developer's environment and cluster.

Conditions for exploitation

  • Affected version in >= 0.20.8, <= 0.37.3.
  • HUD bound to a non-loopback address (tilt up --host 0.0.0.0, or TILT_HOST set).
  • Network reachability to the listener (default port 10350).

Not affected

  • The default loopback-only bind is not reachable from the network.

Workarounds

Use the default loopback bind (omit --host, unset TILT_HOST) and ensure nothing else proxies to localhost:10350. No complete workaround short of upgrading for non-loopback deployments.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

June 19, 2026

Last Modified

June 19, 2026

Vendor Advisories for CVE-2026-55884(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/tilt-dev/tilt0.37.4

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-19 14:58 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-55884?
CVE-2026-55884 is a critical vulnerability published on June 19, 2026. Tilt: Missing authentication on the network-exposed Tilt HUD server Summary The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer's pre-defined Tiltfile…
When was CVE-2026-55884 disclosed?
CVE-2026-55884 was first published in the National Vulnerability Database on June 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-55884?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55884, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-55884

Explore →

Is Your Infrastructure Affected by CVE-2026-55884?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.