Skip to main content

Kubernetes CVE-2026-33105

| EUVDEUVD-2026-18562 CRITICAL
Improper Authorization (CWE-285)
2026-04-03 secure@microsoft.com GHSA-q5xq-rvph-wwgr
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 00:22 euvd
EUVD-2026-18562
Analysis Generated
Apr 03, 2026 - 00:22 vuln.today
CVE Published
Apr 03, 2026 - 00:16 nvd
CRITICAL 10.0

DescriptionCVE.org

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Microsoft Azure Kubernetes Service (AKS) contains an improper authorization vulnerability enabling unauthenticated remote attackers to elevate privileges over a network with critical impact across confidentiality, integrity, and availability. The CVSS 10.0 critical rating reflects network-accessible exploitation requiring no authentication, low complexity, and scope change allowing compromise beyond the vulnerable component. No public exploit identified at time of analysis, though the authentication bypass nature and maximum severity warrant immediate priority.

Technical ContextAI

This vulnerability stems from CWE-285 (Improper Authorization), indicating a flaw in AKS's access control enforcement mechanisms that fails to properly validate user permissions before granting elevated privileges. Azure Kubernetes Service manages containerized applications through Kubernetes orchestration, where authorization typically flows through Kubernetes RBAC (Role-Based Access Control) and Azure Active Directory integration. The improper authorization allows bypass of these controls, potentially at the API server level, kubelet authentication layer, or Azure control plane interface. Given the Kubernetes multi-tenant architecture, authorization failures can expose cluster-wide resources, workloads, and underlying infrastructure across namespace boundaries.

RemediationAI

Organizations must immediately consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33105 for vendor-released patches and specific remediation guidance. Microsoft typically delivers AKS security updates through automatic control plane updates or requires manual cluster upgrades depending on severity and cluster configuration. Until patching is complete, implement compensating controls including restricting AKS API server network access through authorized IP ranges, enabling Azure Private Link for AKS to eliminate public internet exposure, enforcing Azure AD Pod Identity for workload authentication, and conducting immediate audit log review for unauthorized privilege escalation attempts. Monitor AKS audit logs for unusual authentication patterns, unauthorized role binding creation, and abnormal API server access from unexpected source IPs. Given the critical severity and authentication bypass nature, emergency patching outside normal maintenance windows is justified.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-33105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy