CVE-2025-27095: Token Theft Flaw in JumpServer Exposes Kubernetes Clusters to Unauthorized Access
do son 
A new vulnerability in JumpServer (CVE-2025-27095) has been disclosed, exposing Kubernetes clusters to potential compromise through token leakage. The issue affects multiple versions of JumpServer, an open-source Privileged Access Management (PAM) platform widely adopted for securing access to SSH, RDP, Kubernetes, database, and RemoteApp environments via web browsers.
“An authenticated user with low privileges can exploit a vulnerability in Kubernetes sessions to obtain the token of the Kubernetes cluster,” the advisory states.
The flaw lies in how JumpServer handles Kubernetes sessions. A low-privilege authenticated user can gain access to the kubeconfig file, which defines how to communicate with Kubernetes APIs. By modifying this file, the user can redirect API calls to an external attacker-controlled server, thereby exfiltrating the cluster’s access token.
“This can potentially allow unauthorized access to the cluster and compromise its security,” warns the advisory.
The vulnerability can be exploited using a few simple steps:
- Create a Kubernetes session in JumpServer’s web interface.
- Edit the kubeconfig file to replace the Kubernetes API server address with the attacker’s endpoint (e.g., https://webhook.site/…).
- Run a standard kubectl command (e.g., kubectl get -v 10 pod) to send a request using the modified kubeconfig.
- Intercept the request, which now contains the cluster token and is transmitted directly to the attacker’s server.
Once obtained, the stolen token can be reused to authenticate against the Kubernetes API—depending on the permissions assigned, this could lead to privilege escalation, data theft, configuration tampering, or even remote code execution within the cluster.
JumpServer has acknowledged the issue and released patches in the following safe versions:
