Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network vector via Kubernetes API; PR:L for required kubevirt.io:edit RBAC; S:C captures virt-api pivot beyond VMI network segment; C:L/I:L for bidirectional SSRF access to internal services without full compromise.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner. An attacker with kubevirt.io:edit permissions can create a VM with a modified guest agent that reports an arbitrary IP address, then request port-forward to establish a bidirectional TCP tunnel from virt-api's cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation.
AnalysisAI
Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubevirt.io:edit permissions to establish arbitrary bidirectional TCP tunnels from virt-api's trusted cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. The vulnerability arises because virt-api reads the target IP from vmi.Status.Interfaces[0].IP - a value supplied by the QEMU guest agent inside the VM and thus fully controllable by the VM owner when non-masquerade network bindings (bridge or secondary-only) are in use - and passes it directly to net.Dial() without validation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires kubevirt.io:edit RBAC permissions in the target Kubernetes cluster - this is the primary limiting condition, restricting the attack to authenticated cluster users who have been granted VM create/modify rights. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 Medium score with AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately captures most dimensions of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with kubevirt.io:edit permissions in a shared KubeVirt cluster deploys a VM using bridge network binding and replaces the QEMU guest agent with a modified version that reports the IP of an internal Kubernetes service (e.g. a cluster-internal database or the cloud instance metadata endpoint 169.254.169.254) as the VMI's interface address. … |
| Remediation | No vendor-released patch version is confirmed from available data; consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-13318 and Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2492659 for patch availability and exact fix versions as the issue is tracked by Red Hat Security. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi
A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploi
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re
Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick t
KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for an
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command
Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and ch
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap Micro 5.3 | Affected |
| openSUSE Leap Micro 5.4 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
| SUSE Linux Micro Extras 6.0 | Affected |
| SUSE Linux Micro Extras 6.1 | Affected |
| SUSE Linux Micro Extras 6.2 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39595
GHSA-cgm6-wvp9-4g5h