Skip to main content

KubeVirt CVE-2026-13318

| EUVDEUVD-2026-39595 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-26 secalert@redhat.com GHSA-cgm6-wvp9-4g5h
6.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network vector via Kubernetes API; PR:L for required kubevirt.io:edit RBAC; S:C captures virt-api pivot beyond VMI network segment; C:L/I:L for bidirectional SSRF access to internal services without full compromise.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
SUSE
MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 00:35 vuln.today

DescriptionCVE.org

A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner. An attacker with kubevirt.io:edit permissions can create a VM with a modified guest agent that reports an arbitrary IP address, then request port-forward to establish a bidirectional TCP tunnel from virt-api's cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation.

AnalysisAI

Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubevirt.io:edit permissions to establish arbitrary bidirectional TCP tunnels from virt-api's trusted cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. The vulnerability arises because virt-api reads the target IP from vmi.Status.Interfaces[0].IP - a value supplied by the QEMU guest agent inside the VM and thus fully controllable by the VM owner when non-masquerade network bindings (bridge or secondary-only) are in use - and passes it directly to net.Dial() without validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain kubevirt.io:edit RBAC in target cluster
Delivery
Deploy VM with bridge/secondary-only network binding
Exploit
Modify guest agent to report arbitrary target IP
Install
Issue port-forward request to VMI via Kubernetes API
C2
virt-api reads attacker-supplied IP and calls net.Dial() without validation
Execute
Bidirectional TCP tunnel established to internal cluster destination
Impact
Access or exfiltrate data from services behind NetworkPolicy

Vulnerability AssessmentAI

Exploitation Exploitation requires kubevirt.io:edit RBAC permissions in the target Kubernetes cluster - this is the primary limiting condition, restricting the attack to authenticated cluster users who have been granted VM create/modify rights. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 Medium score with AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately captures most dimensions of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with kubevirt.io:edit permissions in a shared KubeVirt cluster deploys a VM using bridge network binding and replaces the QEMU guest agent with a modified version that reports the IP of an internal Kubernetes service (e.g. a cluster-internal database or the cloud instance metadata endpoint 169.254.169.254) as the VMI's interface address. …
Remediation No vendor-released patch version is confirmed from available data; consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-13318 and Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2492659 for patch availability and exact fix versions as the issue is tracked by Red Hat Security. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-1798 MEDIUM POC
6.5 Sep 15

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi

CVE-2020-14316 CRITICAL
9.9 Jul 29

A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploi

CVE-2023-26484 HIGH
8.2 Mar 15

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re

CVE-2026-13201 HIGH
7.3 Jun 24

Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick t

CVE-2026-13208 MEDIUM
6.5 Jun 24

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for an

CVE-2024-33394 MEDIUM
5.9 May 02

An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command

CVE-2026-13218 MEDIUM
4.2 Jun 26

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and ch

CVE-2025-64324 HIGH POC
8.5 Nov 18

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no

CVE-2025-64437 MEDIUM POC
5.0 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av

CVE-2025-64436 MEDIUM POC
6.9 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is

CVE-2025-64435 MEDIUM POC
5.3 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is

CVE-2025-64434 MEDIUM POC
4.7 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Containers 15 SP7 Affected

Share

CVE-2026-13318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy