# CVE-2025-14269
A security issue was discovered in the in-cluster version of Headlamp where unauthenticated users may be able to reuse cached credentials to access Helm functionality through the Headlamp UI. Kubernetes clusters are only affected if Headlamp is installed, is configured with config.enableHelm: true, and an authorized user has previously accessed the Helm functionality.

# PoC

- Install Headlamp version <= v0.38.0
- Configured with `config.enableHelm: true`
- The logged in user must open the Helm page (`/clusters/main/helm/releases/list`), after which the response will be cached
- After this, an unauthorized user can also send a request to `/clusters/main/helm/releases/list` and receive a response with sensitive information, including keys, tokens, and passwords.
<img width="1414" height="393" alt="Снимок экрана 2025-12-17 в 21 18 43" src="https://github.com/user-attachments/assets/ee8b8183-443f-4ed9-b429-8a5813e714a6" />