Skip to main content

Kite CVE-2026-53487

MEDIUM
Missing Authorization (CWE-862)
2026-07-07 https://github.com/kite-org/kite GHSA-gvhc-wv3v-7pf8
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Requires a valid authenticated session with any assigned role (PR:L); only aggregate cluster inventory counts exposed, not secrets or credentials (C:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 00:27 vuln.today

DescriptionGitHub Advisory

Summary

Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware() and GetOverview only checks len(user.Roles) > 0, so it returns aggregate Kubernetes inventory and capacity data from unauthorized clusters.

The issue is present on current main commit 38c9bb9d4b746c0d2a8252f3c35cdfa07ab01c21 and latest release v0.12.2 at commit 0aae35abb2d6a8adf623fe60349261aa48753ccc.

Impact

A low-privileged user who only has access to one cluster can set x-cluster-name to another configured cluster and retrieve aggregate inventory and resource sizing data for that cluster. The response includes total node, pod, namespace, service, CPU, and memory values. This bypasses the cluster membership boundary used elsewhere in Kite.

The validated impact is confidentiality only. I did not prove Kubernetes mutation, pod names, secret values, kubeconfig contents, or bearer token exposure through this endpoint.

Technical details

routes.go registers /api/v1/overview before the global RBAC middleware is applied:

  • routes.go:131-133: /api/v1 gets RequireAuth() and ClusterMiddleware(cm).
  • routes.go:135: /api/v1/overview is registered.
  • routes.go:171: api.Use(middleware.RBACMiddleware()) is applied only after overview and several other routes are registered.

pkg/middleware/cluster.go:21-40 accepts the target cluster name from x-cluster-name, query, or cookie and injects the matching ClientSet without checking whether the user can access that cluster.

pkg/system/handler.go:47-52 retrieves the selected cluster and user, but only rejects users with zero roles:

go
cs := c.MustGet("cluster").(*cluster.ClientSet)
user := c.MustGet("user").(model.User)
if len(user.Roles) == 0 {
    c.JSON(http.StatusForbidden, gin.H{"error": "Access denied"})
    return
}

It then lists nodes, pods, namespaces, and services for the selected cluster at pkg/system/handler.go:63-137 and returns aggregate data at pkg/system/handler.go:147-169.

The intended cluster boundary exists elsewhere. pkg/cluster/cluster_handler.go:19-47 filters /api/v1/clusters with rbac.CanAccessCluster(user, name), and pkg/rbac/rbac.go:32-40 implements that cluster check. The vulnerable overview path skips the same check.

Reproduction

  1. Configure Kite with at least two clusters, for example dev-cluster and prod-cluster.
  2. Create a user with a role that allows only dev-cluster and does not match prod-cluster.
  3. Authenticate as that user.
  4. Send GET /api/v1/overview with header x-cluster-name: prod-cluster.
  5. Observe that the response includes aggregate inventory and capacity data for prod-cluster instead of returning 403.

I also validated this locally with a Go proof test. The test constructs a fake prod-cluster containing one node, namespace, service, and pod. The user has a role limited to dev-cluster and dev-ns only. Before calling the handler, both controls return false:

  • rbac.CanAccess(user, "pods", "get", "prod-cluster", "_all")
  • rbac.CanAccessCluster(user, "prod-cluster")

The direct handler call then succeeds and returns the unauthorized production cluster aggregate data.

Command run:

bash
cd /home/unkn0wn/security_audit/kite
go test ./pkg/system -run TestOverviewAllowsUserWithoutTargetClusterRBAC -v

Key output:

text
=== RUN   TestOverviewAllowsUserWithoutTargetClusterRBAC
    overview_rbac_poc_test.go:74: unauthorized overview response: {"totalNodes":1,"readyNodes":0,"totalPods":1,"runningPods":0,"totalNamespaces":1,"totalServices":1,"prometheusEnabled":false,"resource":{"cpu":{"allocatable":0,"requested":0,"limited":0},"memory":{"allocatable":0,"requested":0,"limited":0}}}
--- PASS: TestOverviewAllowsUserWithoutTargetClusterRBAC (0.49s)
PASS
ok  	github.com/zxh326/kite/pkg/system	0.711s

Suggested remediation

Add an explicit cluster and resource authorization check before any overview data is queried. At minimum, reject users without rbac.CanAccessCluster(user, cs.Name). A stricter fix should require the same resource permissions used by the AI get_cluster_overview tool:

  • get nodes at cluster scope
  • get pods across all namespaces
  • get namespaces at cluster scope
  • get services across all namespaces

Also consider moving every route that lacks its own complete authorization below api.Use(middleware.RBACMiddleware()), or adding per-handler authorization tests for all pre-RBAC routes.

AnalysisAI

Cluster-level RBAC bypass in Kite (github.com/zxh326/kite) v0.12.2 allows any authenticated user to retrieve aggregate inventory and capacity data from Kubernetes clusters they are not authorized to access. By supplying an arbitrary cluster name in the x-cluster-name header, a low-privileged user scoped to one cluster can enumerate node counts, pod counts, namespace counts, service counts, and CPU/memory resource totals from other configured clusters. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged Kite user
Delivery
Supply unauthorized cluster name in x-cluster-name header
Exploit
Send GET /api/v1/overview
Execution
Bypass RBAC middleware due to route registration order
Persist
Handler checks only role existence, not cluster membership
Impact
Receive aggregate inventory and capacity data for unauthorized cluster

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated session in Kite with at least one role assigned in any cluster - even a zero-permission role satisfies the `len(user.Roles) > 0` check. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the real-world risk: network-reachable, low attack complexity, requires a valid authenticated session with at least one role, no user interaction, and the impact is limited to confidentiality of aggregate data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Kite user assigned only to `dev-cluster` sends `GET /api/v1/overview` with the HTTP header `x-cluster-name: prod-cluster`. Because the route is registered before RBAC middleware and the handler only verifies that the user holds any role, the server queries the production cluster and returns aggregate inventory data including total node, pod, namespace, and service counts along with CPU and memory allocations. …
Remediation No vendor-released patch has been identified at time of analysis; a remediation version is not available from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-53487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy