WebSocket Exposure in DevSpace UI Server by DevSpace
CVE-2026-42283

7.7HIGH

Key Information:

Vendor: Devspace-sh
Status: Devspace
Vendor: CVE Published:; 14 May 2026

🔔 Create Devspace-sh Vulnerability Alert

What is CVE-2026-42283?

DevSpace is a client-only tool designed for cloud-native development with Kubernetes. Before version 6.3.21, its UI server's WebSocket functionality accepted connections from all origins by default, resulting in several endpoints being inadvertently exposed. This setup allows an attacker to exploit a user's session. If a developer's browser is used to access a malicious website while concurrently running the DevSpace UI, the attacker can establish a cross-origin WebSocket connection to the local server, potentially leading to unauthorized access to sensitive operations or data. The issue has been addressed in version 6.3.21.

Affected Version(s)

devspace < 6.3.21

References

https://github.com/devspace-sh/devspace/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42283 Data

JSON