Skip to main content

Pinniped CVE-2026-59269

| EUVDEUVD-2026-42530 LOW
2026-07-09 vmware
3.8
CVSS 3.1 · Vendor: vmware

Severity by source

Vendor (vmware) PRIMARY
3.8 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
3.3 LOW

AC:H overrides vendor AC:L because five concurrent non-default conditions must hold; PR:H preserved as AD group-write access is a privileged AD capability.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:52 vuln.today
CVE Published
Jul 09, 2026 - 07:12 cve.org
LOW 3.8

DescriptionCVE.org

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName is empty; the attacker gains the ability to edit some part of the distinguished name (DN) of group entries in the Active Directory (AD) server's database for groups to which they belong; the configured group search parameters cause the edited group to be included in the group search results for the user; and the attacker knows the password for an AD user who belongs to the edited AD group. Affected versions: Pinniped (go.pinniped.dev) v0.11.0 through v0.46.0 inclusive; fixed in v0.47.0.

AnalysisAI

Privilege escalation in VMware Pinniped's Kubernetes authentication layer allows an attacker who already controls Active Directory group distinguished names to gain elevated Kubernetes RBAC permissions beyond their legitimate entitlements. The flaw affects Pinniped v0.11.0 through v0.46.0 when the Supervisor is configured with an ActiveDirectoryIdentityProvider and a specific empty groupName attribute, and only when an attacker simultaneously holds write access to AD group entries and valid AD user credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain AD group write permissions
Delivery
Modify target group Distinguished Name to match privileged Kubernetes RBAC binding
Exploit
Verify Pinniped group search parameters include modified group
Execution
Authenticate to Pinniped Supervisor as AD user with known credentials
Persist
Receive elevated Kubernetes group claim from DN manipulation
Impact
Exercise unintended RBAC permissions within cluster

Vulnerability AssessmentAI

Exploitation All five conditions must be simultaneously true: (1) The Pinniped Supervisor is running with an ActiveDirectoryIdentityProvider resource configured - a non-default, explicitly deployed configuration; (2) the groupSearch.attributes.groupName field within that provider is explicitly empty - another non-default choice that causes DN fallback; (3) the attacker has write access to Distinguished Name components (CN, OU, or DC attributes) of AD group entries for groups to which they belong - this is a privileged AD capability, not available to ordinary users; (4) the group search parameters configured in Pinniped are broad enough to return the modified group entry in results for that user; and (5) the attacker knows valid credentials for an AD user who is a member of the edited group. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is very low despite the network-accessible nature of Pinniped's authentication endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has been delegated write access to Active Directory group objects - for example, a help-desk operator or a previously compromised service account - locates a Kubernetes RBAC group binding for a privileged role (e.g., cluster-admin) and modifies the CN or OU component of a target AD group's DN to match the expected group claim string. When the attacker subsequently authenticates to the Kubernetes cluster through Pinniped using valid credentials for an AD user who belongs to that modified group, Pinniped's group search returns the crafted DN as the group membership claim, and the Kubernetes API server grants the elevated RBAC role. …
Remediation Upgrade Pinniped to v0.47.0, which is the vendor-released patched version confirmed in the GitHub advisory at https://github.com/vmware/pinniped/security/advisories/GHSA-7xq8-m6h6-2xg8. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-59269 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy