CVE-2026-22806
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed.
Analysis
Authorization bypass in vCluster Platform Kubernetes virtual cluster management before 4.6.0/4.5.4/4.4.4. Users can access resources outside their authorized virtual cluster scope.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all vCluster Platform deployments and verify installed versions; immediately restrict access key generation and audit existing access keys for suspicious activity. Within 7 days: Implement network segmentation to limit vCluster Platform communication; disable or isolate affected clusters if business-critical; escalate to vendor for patch ETA and emergency support. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today