Skip to main content

Kubernetes CVE-2026-45726

HIGH
Information Exposure (CWE-200)
2026-06-05 https://github.com/siderolabs/omni GHSA-wv8c-6mx2-xf4j
Information Disclosure Kubernetes
7.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 05, 2026 - 15:51 vuln.today
Analysis Generated
Jun 05, 2026 - 15:51 vuln.today

DescriptionNVD

Summary

Omni supports importing standalone Talos clusters.

During this process, an ImportedClusterSecrets resource is created, which contains the full CA secrets bundle for the cluster being imported.

If these secrets are not rotated by the importing actor, an authenticated Omni user with Reader access can read this resource and gain full access to the Talos, Kubernetes and etcd APIs of the cluster.

Severity

  • Attack Vector: Adjacent: the attacker needs to be in the same network to be able to access Talos/Kubernetes APIs with the compromised keys.
  • Attack Complexity: High: the attacker needs a deep understanding of Omni's internals. The resource is only created for imported clusters, and is normally not represented to users via any high-level API.
  • Privileges Required: Low: the role Reader is sufficient for the attacker to be able to read an imported cluster's secrets.
  • User Interaction: Required: another user must have imported a cluster to Omni for this vulnerability to exist.
  • Scope: Changed: the leaked CA private keys let an attacker directly get full control on Kubernetes or Talos, beyond the limitations enforced by Omni.
  • Confidentiality Impact: High: full cluster CA private keys (Kubernetes, Talos, etcd, service account) are exposed.
  • Integrity Impact: High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it.
  • Availability Impact: High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it.

Impact

  • Any Reader-level account can exfiltrate the complete CA private key hierarchy (Kubernetes CA, etcd CA, service account key) of the imported clusters whose secrets are not yet rotated ("tainted" imported clusters).
  • With the Kubernetes CA private key, an attacker can sign certificates for any Kubernetes user or group, including system:masters, achieving cluster-admin access to the imported cluster entirely outside Omni's control plane.
  • Impact scope extends beyond Omni to every Kubernetes workload, credential, and secret stored in the affected imported cluster.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

AnalysisAI

Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users with the low-privileged Reader role to read the ImportedClusterSecrets resource and exfiltrate the full CA private key bundle (Kubernetes, etcd, Talos, and service-account keys) of imported Talos clusters whose secrets have not been rotated. With those keys, attackers can mint cluster-admin certificates and seize complete control of the downstream cluster outside Omni's control plane. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Recommended ActionAI

24 hours: Audit all active Omni Reader role assignments and current user access scope; document which ImportedClusterSecrets resources exist and contain cluster CA keys. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46389 CRITICAL
10.0 Jun 05

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows unauthenticated remo
CVE-2026-32193 HIGH
8.8 Jun 09

Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path travers
CVE-2026-44180 CRITICAL
9.8 Jun 03

Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers t
CVE-2026-53474 CRITICAL
9.6 Jun 10

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools

CVE-2026-45730 HIGH
8.3 Jun 04

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Function

Share

CVE-2026-45726 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy