CVE-2026-55883 in Tilt
Summary
by MITRE • 07/11/2026
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The vulnerability in Tilt affects versions 0.24.0 through 0.37.3 where the development environment management tool for microservices running on Kubernetes contains a critical security flaw in its WebSocket implementation. The Tilt HUD interface utilizes WebSocket connections at the /ws/view endpoint to provide real-time updates and view streams to users, but this communication channel suffers from inadequate authentication controls that allow unauthorized access when the system is exposed to network traffic.
The technical flaw stems from the improper handling of cross-site request forgery protection mechanisms within Tilt's WebSocket infrastructure. While the system correctly implements CSRF token validation for the /ws/view endpoint, it fails to properly secure the token generation process through the /api/websocket_token endpoint which remains accessible without authentication. Additionally, the WebSocket upgrader component accepts client connections that omit the Origin header entirely, bypassing crucial origin validation checks that should prevent unauthorized access attempts.
This vulnerability creates a significant operational impact when Tilt HUD interfaces are exposed to network-accessible environments, particularly in development or staging deployments where security controls may be relaxed. An attacker with network access to the listening port can establish WebSocket connections to the HUD interface and obtain complete view streams containing sensitive information including session state data, Tiltfile configurations that may contain secrets or deployment instructions, resource status updates, and continuous stream updates of the entire application environment. The exposure of this information provides attackers with comprehensive insights into the running microservice architecture and potentially sensitive configuration details.
The flaw aligns with CWE-352 Cross-Site Request Forgery and represents a classic case of insufficient authentication and authorization controls in web applications. It also maps to ATT&CK technique T1071.004 Application Layer Protocol: DNS where network-based attacks can leverage exposed interfaces, and potentially T1566 Credential Access Through Lateral Movement if the exposed information leads to further system compromise. Organizations using Tilt in network-accessible environments should immediately implement mitigations including restricting access to Tilt HUD interfaces through firewall rules, implementing proper authentication mechanisms, or upgrading to version 0.37.4 which addresses these security concerns through improved token handling and WebSocket connection validation processes.
The fix implemented in version 0.37.4 resolves this vulnerability by strengthening the WebSocket authentication mechanisms and ensuring that the token generation endpoint properly validates client access before issuing tokens. This update corrects the improper acceptance of connections lacking proper Origin headers and ensures that WebSocket upgrades require valid authentication credentials, thereby preventing unauthorized access to sensitive development environment information that could otherwise be exposed to attackers who gain network access to the Tilt instance.