Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

An unauthenticated access control vulnerability, identified as CVE-2026-55882, has been discovered in the Tilt HUD server, impacting versions from 0.19.5 up to and including 0.37.3. This vulnerability allows remote attackers to access Go's net/http/pprof debug endpoints under the /debug path without any authentication. This exposure occurs when the Tilt HUD server is configured to bind to a non-loopback network interface (e.g., tilt up --host 0.0.0.0) and is network-reachable, typically on its default port 10350. By accessing endpoints like /debug/pprof/heap or /debug/goroutine, attackers can read arbitrary process memory, potentially exfiltrating sensitive session tokens and API server bearer tokens. Furthermore, accessing /debug/pprof/profile or /debug/pprof/trace allows attackers to force the server into prolonged CPU profiling or tracing, leading to significant performance degradation and potential denial of service. This critical flaw enables credential access and impact, posing a severe risk to affected deployments.

Attack Chain

1. Reconnaissance: An attacker identifies a publicly exposed Tilt HUD server instance running on a non-loopback address (e.g., tilt up --host 0.0.0.0) on its default port 10350.
2. Vulnerability Identification: The attacker discovers the unauthenticated pprof debug endpoints mounted under /debug (e.g., /debug/pprof/heap, /debug/goroutine) are accessible.
3. Information Disclosure (Memory Dump): The attacker sends an unauthenticated HTTP GET request to /debug/pprof/heap or /debug/goroutine to dump the server's process memory.
4. Credential Exfiltration: The attacker parses the dumped process memory to extract sensitive data, including session tokens (e.g., from Tilt-Token cookies) and API server loopback bearer tokens.
5. Performance Degradation (CPU Profile): The attacker sends an unauthenticated HTTP GET request to /debug/pprof/profile?seconds=N to force the server into prolonged CPU profiling, consuming significant resources.
6. Performance Degradation (Trace): The attacker sends an unauthenticated HTTP GET request to /debug/pprof/trace?seconds=N to force prolonged execution tracing, further impacting server responsiveness.
7. Impact: The attacker utilizes stolen credentials for further unauthorized access or causes a denial of service through resource exhaustion.

Impact

This vulnerability allows an unauthenticated attacker with network access to a misconfigured Tilt HUD server to extract highly sensitive data. Specifically, session tokens (found in Tilt-Token cookies) and internal API server loopback bearer tokens can be retrieved directly from process memory. The compromise of these tokens enables further unauthorized access within the affected environment. Beyond data exfiltration, the attacker can intentionally degrade the server's performance by initiating prolonged CPU profiling or tracing via the /debug/pprof/profile and /debug/pprof/trace endpoints, effectively causing a denial of service. The combination of data theft and service disruption makes this a high-impact vulnerability for organizations using affected Tilt versions in a network-exposed configuration.

Recommendation

• Deploy the provided Sigma rules to detect attempts at exploiting CVE-2026-55882 in your environment.
• Ensure the Tilt HUD server is configured to bind to a loopback address by default (omit --host or unset TILT_HOST) to prevent network exposure of /debug endpoints.
• Upgrade all affected Tilt HUD server instances to a patched version above 0.37.3 immediately to remediate CVE-2026-55882.
• Enable comprehensive web server logging for all Tilt HUD instances to capture HTTP requests, including URI stems and query parameters, for forensic analysis and detection.