{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tilt-hud-server-versions-0.19.5-0.37.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tilt HUD server (versions 0.19.5-0.37.3)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","data-exfiltration","golang","webserver"],"_cs_type":"advisory","_cs_vendors":["Tilt"],"content_html":"\u003cp\u003eAn unauthenticated access control vulnerability, identified as CVE-2026-55882, has been discovered in the Tilt HUD server, impacting versions from 0.19.5 up to and including 0.37.3. This vulnerability allows remote attackers to access Go's \u003ccode\u003enet/http/pprof\u003c/code\u003e debug endpoints under the \u003ccode\u003e/debug\u003c/code\u003e path without any authentication. This exposure occurs when the Tilt HUD server is configured to bind to a non-loopback network interface (e.g., \u003ccode\u003etilt up --host 0.0.0.0\u003c/code\u003e) and is network-reachable, typically on its default port \u003ccode\u003e10350\u003c/code\u003e. By accessing endpoints like \u003ccode\u003e/debug/pprof/heap\u003c/code\u003e or \u003ccode\u003e/debug/goroutine\u003c/code\u003e, attackers can read arbitrary process memory, potentially exfiltrating sensitive session tokens and API server bearer tokens. Furthermore, accessing \u003ccode\u003e/debug/pprof/profile\u003c/code\u003e or \u003ccode\u003e/debug/pprof/trace\u003c/code\u003e allows attackers to force the server into prolonged CPU profiling or tracing, leading to significant performance degradation and potential denial of service. This critical flaw enables credential access and impact, posing a severe risk to affected deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies a publicly exposed Tilt HUD server instance running on a non-loopback address (e.g., \u003ccode\u003etilt up --host 0.0.0.0\u003c/code\u003e) on its default port \u003ccode\u003e10350\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker discovers the unauthenticated \u003ccode\u003epprof\u003c/code\u003e debug endpoints mounted under \u003ccode\u003e/debug\u003c/code\u003e (e.g., \u003ccode\u003e/debug/pprof/heap\u003c/code\u003e, \u003ccode\u003e/debug/goroutine\u003c/code\u003e) are accessible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure (Memory Dump)\u003c/strong\u003e: The attacker sends an unauthenticated HTTP GET request to \u003ccode\u003e/debug/pprof/heap\u003c/code\u003e or \u003ccode\u003e/debug/goroutine\u003c/code\u003e to dump the server's process memory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Exfiltration\u003c/strong\u003e: The attacker parses the dumped process memory to extract sensitive data, including session tokens (e.g., from \u003ccode\u003eTilt-Token\u003c/code\u003e cookies) and API server loopback bearer tokens.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePerformance Degradation (CPU Profile)\u003c/strong\u003e: The attacker sends an unauthenticated HTTP GET request to \u003ccode\u003e/debug/pprof/profile?seconds=N\u003c/code\u003e to force the server into prolonged CPU profiling, consuming significant resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePerformance Degradation (Trace)\u003c/strong\u003e: The attacker sends an unauthenticated HTTP GET request to \u003ccode\u003e/debug/pprof/trace?seconds=N\u003c/code\u003e to force prolonged execution tracing, further impacting server responsiveness.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker utilizes stolen credentials for further unauthorized access or causes a denial of service through resource exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an unauthenticated attacker with network access to a misconfigured Tilt HUD server to extract highly sensitive data. Specifically, session tokens (found in \u003ccode\u003eTilt-Token\u003c/code\u003e cookies) and internal API server loopback bearer tokens can be retrieved directly from process memory. The compromise of these tokens enables further unauthorized access within the affected environment. Beyond data exfiltration, the attacker can intentionally degrade the server's performance by initiating prolonged CPU profiling or tracing via the \u003ccode\u003e/debug/pprof/profile\u003c/code\u003e and \u003ccode\u003e/debug/pprof/trace\u003c/code\u003e endpoints, effectively causing a denial of service. The combination of data theft and service disruption makes this a high-impact vulnerability for organizations using affected Tilt versions in a network-exposed configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect attempts at exploiting CVE-2026-55882 in your environment.\u003c/li\u003e\n\u003cli\u003eEnsure the Tilt HUD server is configured to bind to a loopback address by default (omit \u003ccode\u003e--host\u003c/code\u003e or unset \u003ccode\u003eTILT_HOST\u003c/code\u003e) to prevent network exposure of \u003ccode\u003e/debug\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eUpgrade all affected Tilt HUD server instances to a patched version above 0.37.3 immediately to remediate CVE-2026-55882.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging for all Tilt HUD instances to capture HTTP requests, including URI stems and query parameters, for forensic analysis and detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T13:57:19Z","date_published":"2026-06-19T13:57:19Z","id":"https://feed.craftedsignal.io/briefs/2026-06-tilt-pprof-vulnerability/","summary":"An unauthenticated attacker can exploit CVE-2026-55882 in Tilt HUD server versions 0.19.5 through 0.37.3, when exposed on a non-loopback address, by accessing the `/debug/pprof` endpoints to read sensitive process memory, including session and API server tokens, and to degrade application performance through prolonged CPU profiling or tracing.","title":"Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server","url":"https://feed.craftedsignal.io/briefs/2026-06-tilt-pprof-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Tilt HUD Server (Versions 0.19.5-0.37.3)","version":"https://jsonfeed.org/version/1.1"}