Skip to main content

IBM Turbonomic prometurbo CVE-2026-6389

| EUVDEUVD-2026-26446 HIGH
Improper Privilege Management (CWE-269)
2026-04-30 ibm
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 22:01 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:45 euvd
EUVD-2026-26446
Analysis Generated
Apr 30, 2026 - 21:45 vuln.today
Patch released
Apr 30, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 30, 2026 - 21:17 nvd
HIGH 8.8

DescriptionCVE.org

IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.

AnalysisAI

Privilege escalation in IBM Turbonomic prometurbo agent allows compromised service accounts to exfiltrate cluster-wide Kubernetes secrets and achieve full cluster takeover. Affects versions 8.16.0 through 8.17.6 deployed in Kubernetes environments. The operator grants excessive RBAC permissions enabling unrestricted read access to all secrets cluster-wide. CVSS 8.8 indicates high severity with scope change to container/cluster level. No active exploitation confirmed (not in CISA KEV), but the attack path from service account compromise to cluster admin is well-understood in Kubernetes threat models.

Technical ContextAI

IBM Turbonomic prometurbo is a Kubernetes operator component that connects Prometheus monitoring data to Turbonomic's Application Resource Management platform. The vulnerability stems from CWE-269 (Improper Privilege Management) where the operator's ServiceAccount is granted overly permissive Kubernetes RBAC roles. Instead of following least-privilege principles with namespace-scoped or resource-limited RoleBindings, the deployment uses ClusterRole bindings that grant 'get/list' verbs on the 'secrets' resource across all namespaces. In Kubernetes architecture, secrets store sensitive data including service account tokens, TLS certificates, database credentials, and API keys. The CVSS scope change (S:C) reflects container escape semantics - compromise of one component (prometurbo pod) enables lateral movement throughout the entire cluster control plane. This represents a classic Kubernetes security anti-pattern where monitoring or observability tools receive admin-equivalent permissions unnecessarily.

RemediationAI

Upgrade to IBM Turbonomic prometurbo agent version 8.17.7 or later, which implements least-privilege RBAC policies scoped to only required namespaces and secret resources per IBM advisory https://www.ibm.com/support/pages/node/7270720. If immediate patching is not feasible, apply these compensating controls with noted limitations: (1) Implement Kubernetes admission controller policies (OPA Gatekeeper or Kyverno) to block ServiceAccount token mounting in high-risk namespaces - this prevents prometurbo from accessing those secrets but may break monitoring for workloads in protected namespaces; (2) Enable Kubernetes audit logging with alerting on 'get/list secrets' API calls from the prometurbo ServiceAccount to detect potential exploitation - provides detection not prevention, and generates high log volume in large clusters; (3) Rotate all Kubernetes secrets cluster-wide and externalize sensitive credentials to a secrets management system (Vault, AWS Secrets Manager) with short-lived tokens - reduces blast radius but requires application refactoring and may not be feasible for third-party workloads. The vendor advisory provides Helm chart updates and manual RBAC reconfiguration instructions for customers who cannot immediately upgrade the full prometurbo version.

Share

CVE-2026-6389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy