EUVD-2026-35504
GHSA-3rwf-9748-8cvv
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Azure Kubernetes Service allows an authorized attacker to execute code locally.
AnalysisAI
Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path traversal flaw (CWE-22) that allows an authorized attacker on the local system to break out of restricted directory boundaries and execute code with elevated privileges. The CVSS 3.1 score of 8.8 reflects the scope change (S:C) where exploitation impacts resources beyond the vulnerable component, enabling full confidentiality, integrity, and availability compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold low-level authorized access (PR:L) on the local system - in AKS terms, this typically means code execution inside a pod, a workload identity, or shell access on a node - and to be able to reach the vulnerable AKS component that processes attacker-controlled filesystem paths. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates that exploitation requires local access with low privileges but no user interaction, and crucially carries a Scope:Changed designation - meaning a successful attack crosses a security boundary (e.g., container-to-host or tenant-to-control-plane), justifying the elevated 8.8 score despite the local attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privileged local access on an AKS node or inside a tenant pod - for example, via a compromised application container or stolen workload credentials - sends a crafted request containing traversal sequences to a vulnerable AKS component that handles file paths, causing it to read, write, or execute files outside the intended sandbox. Because the CVSS scope is Changed, this allows the attacker to break out of the container or namespace boundary and execute code in the context of the host node or another tenant, achieving full compromise of confidentiality, integrity, and availability. … |
| Remediation | Patch status per available data: patch available per vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32193, with no exact fix version disclosed in the provided references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all AKS deployments and audit current pod security policies, node access controls, and service account configurations; establish incident response procedures. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows unauthenticated remo
Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers t
SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools
{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Function
Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users wi
Share
External POC / Exploit Code
Leaving vuln.today