Skip to main content

Cert Manager

3 CVEs product

Monthly

CVE-2026-62290 HIGH PATCH This Week

Improper authorization in cert-manager 1.18.0 through 1.19.5 and 1.20.0-1.20.2 lets a namespaced tenant with standard Challenge/Order create rights forge ACME Challenge resources that reference a ClusterIssuer, bypassing DNS01 solver selectors (dnsZones, dnsNames, matchLabels) so the controller uses cluster-wide DNS credentials for attacker-chosen provider settings and names. The primary consequence is disclosure of shared ClusterIssuer DNS credentials - notably acme-dns X-Api-User and X-Api-Key headers - enabling cross-tenant credential theft in multi-tenant clusters. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Kubernetes Authentication Bypass Cert Manager
NVD GitHub
CVSS 3.1
7.3
CVE-2026-25518 Go MEDIUM PATCH This Month

Denial-of-service in cert-manager versions 1.18.0-1.18.4 and 1.19.0-1.19.2 allows network-adjacent attackers to crash the controller by poisoning DNS cache entries during ACME DNS-01 validation through unencrypted DNS traffic interception. An attacker positioned to intercept DNS queries from the cert-manager pod can inject malicious DNS responses that trigger a panic in the controller, disrupting certificate management operations in affected Kubernetes clusters. A patch is available for immediate deployment.

Kubernetes DNS Cert Manager Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2024-36537 HIGH This Week

Insecure permissions in cert-manager v1.14.4 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Cert Manager
NVD GitHub
CVSS 3.1
7.2
EPSS
0.4%
CVSS 7.3
HIGH PATCH This Week

Improper authorization in cert-manager 1.18.0 through 1.19.5 and 1.20.0-1.20.2 lets a namespaced tenant with standard Challenge/Order create rights forge ACME Challenge resources that reference a ClusterIssuer, bypassing DNS01 solver selectors (dnsZones, dnsNames, matchLabels) so the controller uses cluster-wide DNS credentials for attacker-chosen provider settings and names. The primary consequence is disclosure of shared ClusterIssuer DNS credentials - notably acme-dns X-Api-User and X-Api-Key headers - enabling cross-tenant credential theft in multi-tenant clusters. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Kubernetes Authentication Bypass Cert Manager
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial-of-service in cert-manager versions 1.18.0-1.18.4 and 1.19.0-1.19.2 allows network-adjacent attackers to crash the controller by poisoning DNS cache entries during ACME DNS-01 validation through unencrypted DNS traffic interception. An attacker positioned to intercept DNS queries from the cert-manager pod can inject malicious DNS responses that trigger a panic in the controller, disrupting certificate management operations in affected Kubernetes clusters. A patch is available for immediate deployment.

Kubernetes DNS Cert Manager +2
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Insecure permissions in cert-manager v1.14.4 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Cert Manager
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy