Skip to main content

cert-manager EUVDEUVD-2026-45017

| CVE-2026-62290 HIGH
Incorrect Authorization (CWE-863)
2026-07-16 GitHub_M
7.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
8.5 HIGH

Authenticated tenant (PR:L) reaches the network-facing Kubernetes API (AV:N/AC:L) and crosses tenancy scope (S:C) to disclose cluster DNS credentials (C:H), with limited integrity and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:19 vuln.today
Analysis Generated
Jul 16, 2026 - 20:19 vuln.today
CVE Published
Jul 16, 2026 - 19:37 cve.org
HIGH 7.3

DescriptionCVE.org

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. From 1.18.0 until 1.19.6 and 1.20.3, Challenge resources under acme.cert-manager.io can be created directly by namespace users without admission validation tying the Challenge to an Order, owner reference, or Issuer-selected solver, allowing attacker-controlled Challenge.spec.solver values referencing a ClusterIssuer to bypass DNS01 solver selectors such as dnsZones, dnsNames, and matchLabels and cause cert-manager to use ClusterIssuer DNS credentials for attacker-selected provider settings and DNS names, including disclosure of X-Api-User and X-Api-Key headers for acme-dns. This issue is fixed in versions 1.19.6 and 1.20.3.

AnalysisAI

Improper authorization in cert-manager 1.18.0 through 1.19.5 and 1.20.0-1.20.2 lets a namespaced tenant with standard Challenge/Order create rights forge ACME Challenge resources that reference a ClusterIssuer, bypassing DNS01 solver selectors (dnsZones, dnsNames, matchLabels) so the controller uses cluster-wide DNS credentials for attacker-chosen provider settings and names. The primary consequence is disclosure of shared ClusterIssuer DNS credentials - notably acme-dns X-Api-User and X-Api-Key headers - enabling cross-tenant credential theft in multi-tenant clusters. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as namespace tenant with Challenge create rights
Delivery
Craft Challenge.spec.solver referencing a ClusterIssuer
Exploit
Bypass DNS01 selectors (dnsZones/dnsNames/matchLabels)
Execution
cert-manager acts with ClusterIssuer DNS credentials
Impact
Disclose acme-dns X-Api-User/X-Api-Key and control attacker DNS names

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Kubernetes principal (PR:L) that already holds the 'create' verb on acme.cert-manager.io Challenge (and/or Order) resources in a namespace - the permission granted by cert-manager's default pre-fix Helm RBAC. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, base 7.3) reflects a low-complexity attack by an already-authenticated, low-privileged namespace tenant with a scope change (the vulnerable namespaced component reaches cluster-scoped ClusterIssuer credentials) and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant confined to their own namespace but granted the default cert-manager RBAC crafts a Challenge resource whose spec.solver references a cluster-wide DNS01 ClusterIssuer and specifies attacker-chosen DNS names and provider settings. cert-manager processes the forged Challenge using the ClusterIssuer's DNS credentials, and the tenant observes the resulting solver behavior and leaked provider headers (such as acme-dns X-Api-User and X-Api-Key), obtaining credentials that belong to the cluster rather than their namespace. …
Remediation Vendor-released patch: upgrade to cert-manager 1.19.6 (https://github.com/cert-manager/cert-manager/releases/tag/v1.19.6) or 1.20.3 (https://github.com/cert-manager/cert-manager/releases/tag/v1.20.3), per advisory GHSA-8rvj-mm4h-c258. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit current cert-manager deployment version and identify all namespaced tenants with Challenge/Order resource-creation rights; immediately restrict these permissions to administrative teams only via RBAC policies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

EUVD-2026-45017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy