Skip to main content

OpenFeature Operator CVE-2026-54495

MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-07-15 https://github.com/open-feature/open-feature-operator GHSA-398h-7f66-3h4p
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network vector for Kubernetes API access, PR:L for required workload controller create permission, C:L for partial inline spec disclosure only; no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 23:16 vuln.today
Analysis Generated
Jul 15, 2026 - 23:16 vuln.today

DescriptionGitHub Advisory

Summary

A namespaced FeatureFlagSource or InProcessConfiguration resource can be referenced cross-namespace via the openfeature.dev/featureflagsource annotation using the documented {NAMESPACE}/{NAME} syntax. The operator resolves the referenced resource cluster-wide and materializes its contents (env vars, flagd sidecar arguments including httpSyncBearerToken, sync URIs, supporting ConfigMaps) into the referencing workload.

On multi-tenant clusters that treat namespaces as trust boundaries, a tenant who can deploy a controller-owned workload in their own namespace can cause the operator to read another tenant's FeatureFlagSource / InProcessConfiguration spec contents.

Impact

  • Single-tenant clusters: not impacted.
  • Multi-tenant clusters using namespaces as trust boundaries: tenant-to-tenant disclosure of any data placed inline in FeatureFlagSource / InProcessConfiguration spec, including spec.envVars literal values, spec.httpSyncBearerToken, and sync URIs.

Behavior is documented

The cross-namespace {NAMESPACE}/{NAME} annotation syntax is intentional and documented in docs/annotations.md and docs/feature_flag_source.md. The operator's cluster-wide RBAC scope is intentional. Namespace-as-trust-boundary is not part of the operator's current stated security model.

This advisory makes the tenancy assumption explicit and tracks the architectural change that will eliminate the implicit cross-namespace pattern.

Corrections to the original report

Two technical points in the original report require correction:

  1. secretKeyRef / configMapKeyRef cross-namespace disclosure is not possible via this path. Kubelet resolves these as LocalObjectReference against the pod's own namespace; the operator does not bypass that. The actual disclosure surface is FeatureFlagSource / InProcessConfiguration spec contents the operator itself materializes (inline envVars values, httpSyncBearerToken, sync URIs).
  2. create featureflagsources is not a prerequisite. The webhook rejects pods without OwnerReferences (pod_webhook.go:75-77), so the prerequisite is create on a workload controller (deployments, statefulsets, daemonsets, jobs, cronjobs, replicasets) in a namespace the attacker controls. FeatureFlagSource create in any namespace is not required.

Mitigations

As with any Kubernetes CRD, treat the spec content of FeatureFlagSource and InProcessConfiguration as readable by anyone with read access to the resource, and don't place plaintext secrets in CR spec fields. Fields most likely to bite users:

  • spec.sources[].source, when the URI embeds credentials (e.g. https://user:pass@host/repo)
  • spec.sources[].certPath, if the path itself is sensitive
  • inline spec.envVars[].value (use valueFrom.secretKeyRef instead; kubelet enforces same-namespace resolution and the secret value is not stored in the CR)

If developers treat namespaces as trust boundaries:

  • restrict create on featureflagsources / inprocessconfigurations via RBAC where feasible,

Roadmap

A future release will introduce explicit cluster-scoped CRDs (ClusterFeatureFlagSource, ClusterInProcessConfiguration) and remove implicit cross-namespace resolution. This is a breaking change tracked in #847.

Precedent

This class of issue (authenticated namespace tenant abuses an unenforced cluster-wide surface that crosses an assumed namespace boundary) has Kubernetes precedent: CVE-2020-8554 (External IPs) was accepted as documented posture and mitigated via an opt-in admission plugin.

Credit

Reported by @0xVijay. Thanks for the disclosure. This appears to be an example of https://cwe.mitre.org/data/definitions/668.html. In terms of how it ended up here, it's more of an unimplemented security feature than an "bug". It seems to deviate from reasonable expectations and conventions in the K8s ecosystem. See https://nvd.nist.gov/vuln/detail/cve-2020-8554 as an example of a comparable vulnerability.

AnalysisAI

{NAMESPACE}/{NAME} cross-namespace annotation syntax are both intentional design choices; this vulnerability represents an unimplemented security feature rather than a coding bug, and is categorized as CWE-668. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, multi-tenant Kubernetes clusters relying on namespace isolation as a trust boundary are the exclusive impact surface.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Deployment create RBAC in attacker-controlled namespace
Delivery
Annotate Deployment with victim-namespace/resource-name cross-namespace reference
Exploit
Operator resolves FeatureFlagSource cluster-wide using cluster-scoped RBAC
Execution
Operator materializes victim spec inline values into attacker pod environment
Impact
Read injected env vars including httpSyncBearerToken from running pod

Vulnerability AssessmentAI

Exploitation Exploitation requires a multi-tenant Kubernetes cluster where the open-feature-operator is installed and namespaces are used as trust boundaries between tenants. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) is well-calibrated for this issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a tenant namespace on a multi-tenant Kubernetes cluster annotates a Deployment with `openfeature.dev/featureflagsource: victim-namespace/sensitive-flagsource`. Because the open-feature-operator holds cluster-wide read access to FeatureFlagSource resources, it resolves the cross-namespace reference, reads the victim FeatureFlagSource spec, and injects its inline contents - including any httpSyncBearerToken value and env var literals - as environment variables into the attacker-controlled pod. …
Remediation No vendor-released patch has been identified at time of analysis; the upstream architectural fix - introduction of explicit cluster-scoped CRDs (ClusterFeatureFlagSource, ClusterInProcessConfiguration) and removal of implicit cross-namespace resolution - is a tracked breaking change in issue #847 (https://github.com/open-feature/open-feature-operator/issues/847). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-54495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy