<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenCost - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/opencost/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 19:25:45 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/opencost/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-opencost-servicekey-unauth-write/</link><pubDate>Tue, 14 Jul 2026 19:25:45 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-opencost-servicekey-unauth-write/</guid><description>OpenCost contains an unauthenticated file write vulnerability, tracked as GHSA-wmj8-9953-vff5, in its `/serviceKey` endpoint that allows remote attackers to overwrite the GCP service account key file (`key.json`) without any authentication or input validation, leading to service disruption, credential theft, and potential privilege escalation within Kubernetes clusters or GCP environments.</description><content:encoded><![CDATA[<p>OpenCost, an open-source project for Kubernetes cost monitoring, is affected by an unauthenticated file write vulnerability (GHSA-wmj8-9953-vff5) in its <code>/serviceKey</code> endpoint. This flaw permits remote attackers to overwrite the <code>key.json</code> file, which typically stores Google Cloud Platform (GCP) service account credentials, without any form of authentication or input validation. The vulnerability resides within the <code>AddServiceKey</code> function in <code>pkg/costmodel/router.go</code>, where user-supplied content from a POST request's <code>key</code> parameter is directly written to the file system. This allows attackers to inject invalid data, causing service disruption by breaking GCP integrations, or to replace legitimate credentials with attacker-controlled ones, facilitating credential theft and potential privilege escalation within the targeted Kubernetes cluster or associated GCP environment. Additionally, an overly permissive CORS header (<code>Access-Control-Allow-Origin: *</code>) in the affected endpoint further enables cross-origin attacks if the OpenCost instance is exposed to a web browser. All versions of OpenCost up to and including the latest release are affected.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a network-accessible OpenCost instance running a vulnerable version. This could be through a public ingress, NodePort exposure, or internal network access.</li>
<li>The attacker crafts an HTTP POST request targeting the <code>/serviceKey</code> endpoint of the OpenCost service (e.g., <code>http://opencost.opencost.svc.cluster.local:9003/serviceKey</code> or <code>http://localhost:9003/serviceKey</code>).</li>
<li>The request includes a <code>key</code> parameter within the request body, containing malicious data such as malformed JSON, an empty string, or attacker-controlled valid GCP service account credentials.</li>
<li>The vulnerable <code>AddServiceKey</code> function in OpenCost's <code>pkg/costmodel/router.go</code> receives the unauthenticated request.</li>
<li>Lacking any authentication or input validation, OpenCost extracts the value from the <code>key</code> parameter.</li>
<li>The extracted content is directly written to the <code>key.json</code> file located in the <code>CONFIG_PATH</code> directory (which defaults to <code>/var/configs</code>).</li>
<li>The existing <code>key.json</code> file is overwritten with the attacker-supplied malicious content, compromising the integrity or confidentiality of the GCP service account key.</li>
<li>Subsequent attempts by OpenCost to interact with GCP APIs will either fail due to invalid credentials, causing service disruption, or connect to an attacker-controlled GCP project, enabling data exfiltration or unauthorized actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The unauthorized file write vulnerability in OpenCost can lead to severe consequences across multiple dimensions. If an attacker injects invalid JSON or malformed credentials into <code>key.json</code>, OpenCost's ability to communicate with the GCP Billing API will cease, resulting in a disruption of cost monitoring and FinOps processes. This directly impacts an organization's ability to track and manage cloud expenditures. More critically, an attacker can inject their own GCP service account credentials, leading to sensitive data leakage. This includes the organization's cloud resource usage patterns, detailed cost breakdowns per namespace, and overall business intelligence regarding infrastructure scale and technology adoption. Such information could be highly valuable to competitors or for reconnaissance in future attacks. While the attacker cannot control the file path or name, the ability to fully control the <code>key.json</code> content without authentication poses a significant risk. For improperly exposed instances, the permissive CORS configuration enables cross-origin attacks, allowing malicious websites to initiate attacks from a victim's browser without their awareness.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect OpenCost ServiceKey Unauthorized File Write Attempt</code> to your SIEM to alert on suspicious unauthenticated POST requests to the <code>/serviceKey</code> endpoint.</li>
<li>Monitor <code>webserver</code> logs for HTTP POST requests directed at the <code>/serviceKey</code> endpoint, especially those originating from unexpected IP addresses or lacking proper authentication headers.</li>
<li>Restrict network access to the OpenCost service endpoint <code>/serviceKey</code> through firewall rules, network policies, or API gateways to prevent unauthenticated external access.</li>
<li>If possible, implement an authentication layer (e.g., API key, OAuth, OIDC) for the <code>/serviceKey</code> endpoint, as recommended by the OpenCost maintainers' remediation guidance.</li>
<li>Ensure strong input validation is applied to the <code>key</code> parameter to verify the integrity and format of any submitted GCP service account keys.</li>
<li>Review and restrict the <code>Access-Control-Allow-Origin</code> header in your web server or ingress configuration for OpenCost to only trusted domains, preventing cross-origin attacks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>opencost</category><category>kubernetes</category><category>cloud</category><category>gcp</category><category>vulnerability</category><category>unauthenticated-access</category><category>file-write</category></item></channel></rss>