{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"not set"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2026-25538","title":"Title"},{"category":"description","text":"Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2026-25538","url":"https://www.suse.com/security/cve/CVE-2026-25538"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for SUSE-SU-2026:0403-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2026-February/024084.html"}],"title":"SUSE CVE CVE-2026-25538","tracking":{"current_release_date":"2026-02-10T00:24:02Z","generator":{"date":"2026-02-07T00:23:54Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2026-25538","initial_release_date":"2026-02-07T00:23:54Z","revision_history":[{"date":"2026-02-07T00:23:54Z","number":"2","summary":"references added,severity changed from  to not set"},{"date":"2026-02-10T00:24:02Z","number":"3","summary":"references added"}],"status":"interim","version":"3"}}}