Skip to main content

Kubernetes

594 CVEs product

Monthly

CVE-2026-54495 Go MEDIUM GHSA This Month

{NAMESPACE}/{NAME} cross-namespace annotation syntax are both intentional design choices; this vulnerability represents an unimplemented security feature rather than a coding bug, and is categorized as CWE-668. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, multi-tenant Kubernetes clusters relying on namespace isolation as a trust boundary are the exclusive impact surface.

Kubernetes Information Disclosure
NVD GitHub
CVSS 3.1
4.3
CVE-2026-54450 Go LOW POC PATCH GHSA Monitor

ToolHive's hand-maintained SSRF guard (`networking.IsPrivateIP`) omits IPv6 NAT64 prefixes `64:ff9b::/96` (RFC 6052) and `64:ff9b:1::/48` (RFC 8215), allowing addresses like `64:ff9b:1::a9fe:a9fe` - the NAT64 encoding of the cloud metadata endpoint `169.254.169.254` - to be misclassified as globally routable and pass unchecked. On ToolHive deployments behind a NAT64/DNS64 gateway (the default in IPv6-only Kubernetes clusters and several IPv6-only cloud environments), an unauthenticated attacker can submit a crafted OAuth `client_id` URL that causes ToolHive's CIMD fetcher to dial internal or link-local addresses the guard is intended to block, achieving a blind internal-reachability oracle. Practical impact is limited to TCP/TLS connection probing rather than credential exfiltration due to HTTPS-only enforcement and TLS verification on the attacker-controlled path; a complete proof-of-concept is publicly available in the vendor advisory, and no public exploit identified at time of analysis as a KEV-listed active campaign.

Kubernetes Microsoft SSRF Oracle
NVD GitHub
CVE-2026-56743 MEDIUM PATCH This Month

Network policy bypass in Cilium 1.19.0-1.19.4 allows workloads inside a Kubernetes namespace to reach peers that CIDR-based ipBlock NetworkPolicies should block. The flaw surfaces exclusively when Cilium is deployed with a custom clusterName (any value other than the default 'any'): the network-policy parser in parseNetworkPolicyPeer erroneously instantiates an empty pod selector for selectorless ipBlock peers, which compiles into a wildcard namespace-allow rule instead of a pure CIDR rule. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Kubernetes Cilium
NVD GitHub
CVSS 3.1
5.4
CVE-2026-55723 HIGH PATCH This Week

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.

Nginx Kubernetes Code Injection Nginx Ingress Controller
NVD
CVSS 4.0
8.7
CVE-2026-61549 Go HIGH PATCH GHSA This Week

Privilege escalation in Woodpecker CI (v1.0.0 through v3.15.0) running the Kubernetes backend lets any user with Push permission on a connected repository set the pipeline pod's serviceAccountName to an arbitrary ServiceAccount in the pipeline namespace, inheriting its RBAC rights. Because the option was passed straight to the pod spec with no admin gating, a low-privilege contributor can pivot to a privileged ServiceAccount and exfiltrate secrets (DB credentials, API keys, TLS certs) or take over the cluster. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the fix is available in v3.16.0 via a default-off gating flag.

Kubernetes Privilege Escalation
NVD GitHub
CVE-2026-50125 Go HIGH PATCH GHSA This Week

Unauthenticated remote denial of service in StacklokLabs MKP (Model Context Protocol for Kubernetes) server versions before 0.4.1 lets a single crafted `tools/call` request against the default `:8080` endpoint exhaust process memory. The `get_resource` tool accepts attacker-controlled `limitBytes`/`tailLines` values with no upper bound and streams the entire Kubernetes pod-log response into an in-memory `bytes.Buffer`, driving an OOM kill (dynamic reproduction grew RSS from 25.8 MB to 1,179.3 MB on one request). Publicly available exploit code exists in the GitHub Security Advisory; there is no public evidence of active exploitation.

Docker Kubernetes Denial Of Service Python
NVD GitHub
CVSS 3.1
7.5
CVE-2026-44300 Go HIGH PATCH GHSA This Week

Unauthenticated arbitrary file write in OpenCost (all versions up to and including releases before 1.119.1) lets remote clients POST to the /serviceKey endpoint and overwrite the GCP service account key file (key.json) with attacker-controlled content, with no authentication and no input validation. An attacker can either corrupt the credential file to break GCP cost collection or inject their own valid service-account key to redirect the target's billing/cost data to an attacker-owned GCP project. Publicly available exploit code exists (a full reproducible PoC is in the GHSA advisory); no public evidence of active exploitation and no CISA KEV listing.

Privilege Escalation Authentication Bypass Kubernetes Information Disclosure
NVD GitHub
CVE-2026-8590 HIGH This Week

Information disclosure with integrity impact in the Spotfire Server modules of Spotfire Enterprise, Spotfire Enterprise with External Consumers, and Spotfire on Kubernetes allows a remote, unauthenticated attacker to obtain sensitive data and alter server-side state once a victim is lured into a passive interaction (UI:P), such as opening a crafted link or analysis. The CVSS 4.0 base score is 8.7 (High) with high confidentiality and integrity impact and low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

Kubernetes Information Disclosure Spotfire Enterprise Spotfire Enterprise With External Consumers Spotfire On Kubernetes
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-15416 HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE Kubernetes Argo Helm +3
NVD GitHub VulDB
CVSS 3.1
8.9
EPSS
0.3%
CVE-2026-61459 CRITICAL POC PATCH Act Now

Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.

Authentication Bypass Kubernetes Mcp Server Kubernetes
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-15378 CRITICAL Act Now

Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.

Authentication Bypass SSRF Kubernetes
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-53727 Ruby HIGH POC PATCH GHSA This Week

Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.

Kubernetes Hashicorp SSRF Canonical Nginx +5
NVD GitHub
CVE-2026-49476 PyPI HIGH POC PATCH GHSA This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-59269 LOW Monitor

Privilege escalation in VMware Pinniped's Kubernetes authentication layer allows an attacker who already controls Active Directory group distinguished names to gain elevated Kubernetes RBAC permissions beyond their legitimate entitlements. The flaw affects Pinniped v0.11.0 through v0.46.0 when the Supervisor is configured with an ActiveDirectoryIdentityProvider and a specific empty groupName attribute, and only when an attacker simultaneously holds write access to AD group entries and valid AD user credentials. No public exploit code exists and this is not listed in CISA KEV; the vendor CVSS score of 3.8 (Low) reflects the highly constrained exploitation prerequisites.

Kubernetes Information Disclosure Pinniped
NVD GitHub
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-52831 Go CRITICAL POC PATCH GHSA Act Now

OS command injection in Nuclio (serverless platform) versions <= 1.15.27 lets attackers run arbitrary shell commands as root inside Kubernetes CronJob pods by submitting a function with a crafted cron trigger. The controller concatenates unsanitized `event.headers` keys and `event.body` values into a `/bin/sh -c` curl string; a header key containing a double-quote breaks quoting, and a body containing `$()` triggers command substitution (strconv.Quote does not escape it). Because the Nuclio Dashboard API is unauthenticated in its default configuration, this is remotely reachable; no public exploit is identified in KEV, though a detailed, dynamically-verified PoC accompanies the advisory.

Python Kubernetes Microsoft Docker Command Injection +1
NVD GitHub
CVSS 3.1
10.0
CVE-2026-55761 HIGH PATCH This Week

Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.

Authentication Bypass Kubernetes Docker Portainer
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-53487 Go MEDIUM POC PATCH GHSA This Month

Cluster-level RBAC bypass in Kite (github.com/zxh326/kite) v0.12.2 allows any authenticated user to retrieve aggregate inventory and capacity data from Kubernetes clusters they are not authorized to access. By supplying an arbitrary cluster name in the `x-cluster-name` header, a low-privileged user scoped to one cluster can enumerate node counts, pod counts, namespace counts, service counts, and CPU/memory resource totals from other configured clusters. No public exploit identified at time of analysis, though the reporter provided and validated a working Go proof-of-concept test demonstrating the bypass.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
4.3
CVE-2026-13019 CRITICAL PATCH Act Now

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the exposed function is an administrative/portal API reachable over the network with no credentials, successful access could lead to disclosure or manipulation of portal content and configuration.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-13020 CRITICAL PATCH Act Now

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten-password recovery mechanism (CWE-640) that a remote, unauthenticated attacker can manipulate to assume ownership of another user's account. The flaw carries a CVSS 9.8 rating because it is network-reachable with no authentication or user interaction, yielding full compromise of confidentiality, integrity, and availability of the targeted account. There is no public exploit identified at time of analysis and EPSS is low (0.22%, 13th percentile), and CISA's SSVC framework records exploitation as none, indicating no observed in-the-wild activity despite the critical score.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-54765 MEDIUM PATCH This Month

Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.

Authentication Bypass Kubernetes Traefik
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-9165 HIGH This Week

Authenticated denial of service in Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4 allows any user holding a valid API token to exhaust Central's resources. Because Central does not cap the nesting depth of queries served on its authenticated GraphQL API, a single deeply nested query can drive excessive CPU and memory consumption and take down the RHACS management plane. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the low-privilege network vector makes it trivial for any token holder to trigger.

Kubernetes Red Hat Denial Of Service Red Hat Advanced Cluster Security 4
NVD
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-50163 Go HIGH PATCH GHSA This Week

Arbitrary CWD-file read and inode-tampering in the oras-go v2 content/file tar extractor allows an attacker who controls an OCI artifact to hardlink files from the pulling process's working directory into the extract tree. When a victim runs 'oras pull' (or any Go program using oras-go/v2/content/file) against a malicious layer marked with the io.deis.oras.content.unpack annotation, the flawed ensureLinkPath helper validates a resolved hardlink target but passes the original relative Linkname to os.Link, causing link(2) to resolve it against the process CWD instead of the extract base. Publicly available exploit code exists (detailed PoC and regression test in the advisory); this is not listed in CISA KEV and no active exploitation is confirmed.

Linux Ubuntu Path Traversal Kubernetes
NVD GitHub
CVSS 3.1
7.1
CVE-2026-44938 Go HIGH PATCH GHSA This Week

Privilege-escalation via admission-control bypass in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to overwrite Pod Security Standards (PSS) enforcement labels on target namespaces. Because Fleet's agent-side deployer failed to filter security-sensitive keys (notably the `pod-security.kubernetes.io/` prefix) from `namespaceLabels` in `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels`, an attacker can downgrade namespace admission enforcement and deploy privileged or otherwise restricted workloads that PSS would normally block. No public exploit identified at time of analysis; the flaw was privately reported through responsible disclosure by a NATO NCSC researcher and is not listed in CISA KEV.

Kubernetes Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-49478 Go HIGH PATCH GHSA This Week

Server-Side Request Forgery in Sigstore Fulcio (before v1.8.6) lets a compromised or malicious OIDC issuer redirect the OIDC Discovery client's metadata fetches to attacker-chosen hosts, enabling blind SSRF against internal systems, poisoning of the verifier cache via a substituted jwks_uri so forged signatures validate, and leakage of the in-cluster Kubernetes ServiceAccount token to third-party hosts. Unauthenticated remote attackers who control a configured (or wildcard-matched) issuer can chain these into trust compromise of the certificate authority. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SSRF Kubernetes
NVD GitHub
CVSS 3.1
8.7
CVE-2026-44949 HIGH PATCH This Week

Authentication bypass in SUSE Rancher's in-cluster admission webhook (rancher-webhook) lets a network-adjacent, unauthenticated attacker forge FleetWorkspace admission payloads so that workspace-related Kubernetes objects are created with attacker-chosen identity data. Affected releases span Rancher 0.7.0–0.7.10, 0.8.0–0.8.7, 0.9.0–0.9.6 and 0.10.0–0.10.7, with integrity impact but no direct confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is documented in SUSE/Rancher advisory GHSA-h83p-cq95-vph4.

Authentication Bypass Kubernetes Rancher
NVD GitHub
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-55069 HIGH PATCH This Week

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.

PostgreSQL Kubernetes Privilege Escalation Kestra
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-55162 PyPI MEDIUM POC PATCH GHSA This Month

Server-Side Request Forgery in Netflix Lemur's certificate verification pipeline allows an authenticated operator-role user to force the Lemur host to issue outbound HTTP requests to arbitrary internal destinations by uploading a crafted certificate whose CRL Distribution Point or OCSP responder extensions point to RFC1918 addresses, link-local endpoints (169.254.169.254), internal Kubernetes API servers, or loopback interfaces. Both `crl_verify` and `ocsp_verify` in `lemur/certificates/verify.py` pass attacker-controlled URLs directly to network sinks with no destination allow-list, scheme restriction beyond LDAP rejection, or private-address filtering. No public exploit confirmed in CISA KEV, but detailed proof-of-concept reproduction steps are published in the GitHub Security Advisory GHSA-54vg-pfh7-jq95; vendor-released patch v1.9.2 is available.

OpenSSL SSRF Python Kubernetes
NVD GitHub
CVSS 3.1
6.3
CVE-2026-54250 Go MEDIUM POC PATCH GHSA This Month

Arbitrary filesystem write via zip-slip in K3s etcd snapshot restoration affects all K3s versions prior to 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. A maliciously crafted zip archive with path-traversal entries in member filenames (e.g., '../../etc/cron.d/evil') can overwrite arbitrary files on the host filesystem when an administrator performs a compressed etcd snapshot restore. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Path Traversal Kubernetes K3S
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-52945 HIGH PATCH This Week

Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. The condition was reported by multiple production Cilium/Kubernetes operators; there is no public exploit identified at time of analysis and EPSS is very low (0.10%, 1st percentile).

Linux Kubernetes Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-54353 npm HIGH PATCH GHSA This Week

Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.

Kubernetes SSRF
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-46611 PyPI MEDIUM PATCH GHSA This Month

DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.

Kubernetes Docker RCE Python Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-46608 PyPI HIGH PATCH GHSA This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python Authentication Bypass Kubernetes +1
NVD GitHub
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-44778 Go LOW PATCH GHSA Monitor

Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.

RCE Denial Of Service Privilege Escalation Kubernetes
NVD GitHub
CVE-2026-54762 Go MEDIUM PATCH GHSA This Month

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.

Nginx Kubernetes Denial Of Service Docker Red Hat +1
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-47262 Go MEDIUM PATCH GHSA This Month

Memory exhaustion via maliciously crafted container image in containerd causes an OOM kill of the containerd process, rendering the container runtime API unavailable and disrupting orchestration layers including Docker Engine and Kubernetes control-plane components. CVE-2026-47262 is rated Moderate by the containerd project - lower than the four co-patched Critical/High CVEs - and is fixed across the full active supported release tree in versions 2.3.2, 2.2.5, 2.1.9, 2.0.10, and 1.7.33. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Docker Kubernetes Denial Of Service Containerd
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.5%
CVE-2026-53492 Go HIGH PATCH GHSA This Week

Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding pod-creation rights, who restores a container from a maliciously crafted checkpoint image. The CRI restore path trusts Container Device Interface (CDI) annotations embedded in untrusted checkpoint metadata instead of the pod's create-time spec, letting the attacker smuggle arbitrary CDI edits (host device nodes and mounts) into the restored container. It affects containerd v2.1.0-2.1.8, v2.2.0-2.2.4 and v2.3.0-2.3.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Kubernetes Checkpoint Information Disclosure Containerd
NVD VulDB GitHub
CVSS 4.0
8.4
EPSS
0.5%
CVE-2026-55591 npm MEDIUM PATCH GHSA This Month

Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.

Microsoft Docker Kubernetes Node.js SSRF +2
NVD GitHub
CVSS 3.1
5.8
CVE-2026-11752 Maven MEDIUM PATCH GHSA This Month

Arbitrary file and environment variable reads on xDS client hosts are possible in Armeria versions 1.38.0 and 1.39.0 via the armeria-xds module's SDS (Secret Discovery Service) implementation. The DataSourceStream class resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any path confinement or allow-listing, enabling a compromised or semi-trusted xDS control plane - or an attacker who can MITM unprotected SDS gRPC streams - to extract TLS private keys, Kubernetes service-account tokens, cloud credential files, and environment variables such as AWS_SECRET_ACCESS_KEY. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the confused-deputy pattern and Kubernetes deployment context make it a high-priority upgrade for affected users.

Kubernetes Java Code Injection
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-47256 Go MEDIUM PATCH GHSA This Month

Path traversal and query-string injection in the OpenTelemetry Collector Contrib Sentry exporter allows any OTLP span sender to redirect the collector's operator bearer token to arbitrary Sentry API endpoints - including privileged admin, organization, and member management endpoints. The vulnerability stems from the `service.name` span attribute being interpolated directly into Sentry API URLs via `fmt.Sprintf` without validation, while the existing `projectSlugRegexp` safeguard is only applied to operator-configured mappings and never to runtime-derived slugs. No CISA KEV listing exists at time of analysis, but the GHSA advisory provides detailed exploitation steps demonstrating both a universally reliable query-string injection vector and a nginx-dependent path traversal vector, with a fixed version available at 0.154.0.

Path Traversal Nginx Kubernetes
NVD GitHub
CVSS 3.1
5.3
CVE-2026-55636 Go MEDIUM PATCH GHSA This Month

Namespace tenant-label hijack in Capsule v0.13.0-0.13.5 allows an authenticated Kubernetes user with namespaces/finalize RBAC permission to bypass the validating admission webhook and overwrite tenant isolation labels via the finalize subresource. The root cause is a one-character typo in the Helm chart configuration - `namespace/finalize` (singular) instead of `namespaces/finalize` (plural) - rendering the CVE-2026-30963 patch in v0.13.2 entirely ineffective. Publicly available exploit code (PoC) exists and has been confirmed on a kind cluster running Capsule v0.13.2; no active exploitation has been confirmed by CISA KEV.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
5.7
CVE-2026-54761 Go MEDIUM PATCH GHSA This Month

Traefik's Kubernetes Gateway provider exposes internal services (`api@internal`, `dashboard@internal`, `rest@internal`) on the data plane due to a namespace allowlist check evaluated against the wrong variable in multi-backendRef (WRR) HTTPRoute rules. Operators who configured `crossProviderNamespaces` to restrict which namespaces may reference cross-provider `TraefikService` backends find that restriction entirely bypassed for routes with two or more backendRefs, allowing an unprivileged route namespace to expose the Traefik API unauthenticated on the normal web entrypoint. A fully functional end-to-end proof-of-concept was included in the disclosure; no public exploit identifier at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Kubernetes Docker Suse
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.4%
CVE-2026-48782 PyPI MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.

Python Kubernetes SSRF Pydantic Ai Pydantic Ai Slim +1
NVD GitHub
CVSS 3.1
6.8
EPSS
0.3%
CVE-2026-48491 Go HIGH PATCH GHSA This Week

Mutual-TLS bypass in Traefik v3.7.0 and v3.7.1 lets unauthenticated remote attackers reach backends protected by wildcard-router `TLSOptions` (for example `Host("*.example.com")` with `RequireAndVerifyClientCert`). The `SNICheck` domain-fronting middleware resolves TLS options for the HTTP `Host` header via exact map lookups only, so an attacker completing the TLS handshake under a permissive SNI on the same entrypoint can then send a `Host` header for the wildcard-protected backend and skip the client-certificate requirement. Publicly available exploit code exists in the GitHub Security Advisory PoC; this is independent of the prior HTTP/3 mTLS issue.

Kubernetes OpenSSL Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.2%
CVE-2026-48518 MEDIUM PATCH This Month

{team}/join), exploiting the fact that text/plain Content-Type does not trigger a CORS preflight check. In CTF deployments this allows score inflation by forcing victims to solve Juice Shop challenges credited to the attacker's team; any sensitive data entered by the victim is also captured in the attacker's Juice Shop instance. No public exploit identified at time of analysis, and a vendor-released patch is available in version 10.0.1.

CSRF Kubernetes Information Disclosure Multi Juicer
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11769 Go MEDIUM PATCH GHSA This Month

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.

Grafana Path Traversal Kubernetes Privilege Escalation Grafana Operator
NVD VulDB GitHub
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-53999 Go HIGH PATCH GHSA This Week

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deployment annotation-edit rights to coerce the high-privilege controller into deleting another tenant's container resource by injecting a forged radapp.io/status JSON blob. The flaw is a classic Confused Deputy (CWE-441/CWE-20) that yields an availability-only impact, is most severe in multi-tenant installs, and currently has publicly available exploit code via the GHSA advisory but no public exploit identified at time of analysis in CISA KEV.

Privilege Escalation Nginx Kubernetes
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-50570 HIGH PATCH This Week

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows a tenant with permission to create Function or Environment CRDs to obtain CAP_SYS_TIME inside function/runtime containers by bypassing an incomplete capability denylist in the ValidatePodSpecSafety admission webhook. The denylist only blocked six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE) and omitted CAP_SYS_TIME and others, letting tenant-controlled code modify the container's system clock. No public exploit identified at time of analysis, but the upstream patch and CRD diff are publicly visible in fission/fission PR #3465.

Privilege Escalation Kubernetes
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-50569 MEDIUM PATCH This Month

Input validation bypass in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows authenticated users with Kubernetes API access to create HTTPTrigger resources with malformed or unsafe URL paths, achieving low-integrity routing manipulation. The RelativeURL and Prefix fields in HTTPTriggerSpec were validated only at the Fission CLI layer; when the post-CRD-modernization admission webhook was retired in favor of API-server CEL, no CEL rules were authored for those two fields - leaving a complete gap exploitable via kubectl apply or direct Kubernetes REST API calls. No public exploit code exists and this CVE is not listed in CISA KEV, but the bypass is straightforward for any cluster user with HTTPTrigger create rights.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-50568 LOW PATCH Monitor

Path traversal in Fission's SanitizeFilePath function (pkg/utils/utils.go) allows a low-privileged tenant to read or write files outside an intended safe directory on a shared Kubernetes volume. Versions prior to 1.25.0 validated directory confinement using strings.HasPrefix, which performs a purely lexical string comparison: a sibling path such as /packages-extra/evil incorrectly passes a check for the safe directory /packages because it satisfies the string prefix condition without a directory-separator boundary. The builder's Clean handler and the fetcher's Fetch and Upload handlers were all affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 3.1
3.6
EPSS
0.0%
CVE-2026-50567 HIGH PATCH This Week

Path traversal in Fission Kubernetes serverless framework prior to version 1.25.0 allows authenticated tenants to write files outside the intended extraction directory by submitting a crafted package archive. The fetcher sidecar (fission-fetcher) processes attacker-controlled Package.Spec.Source.URL or Deployment.URL archives via Unarchive in pkg/utils/zip.go, where filepath.Join was used without verifying the resolved path stayed under the destination, enabling cross-tenant file overwrite, tampering with mounted secret/config volumes, or overwriting the fetcher binary itself. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-50566 Go CRITICAL POC PATCH GHSA Act Now

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RBAC to define Environment custom resources with privileged, allowPrivilegeEscalation, or dangerous Linux capabilities on the bare Runtime.Container or Builder.Container fields, which bypass the existing PodSpec safety validator and get scheduled under the executor's high-privilege service account. Successful abuse enables container-sandbox escape, host filesystem and network access, and node- or cluster-level compromise. No public exploit identified at time of analysis, but the upstream fix is published in v1.24.0.

Privilege Escalation Kubernetes Fission
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-50565 Go MEDIUM PATCH GHSA This Month

Kubernetes service account token exposure in Fission serverless framework prior to v1.24.0 allows authenticated high-privilege users to escalate cluster privileges via a malicious builder image. Builder pods were created with ServiceAccountName set to fission-builder but without AutomountServiceAccountToken: false, causing the Kubernetes kubelet to automatically inject the fission-builder service account credential into every container in the pod - including untrusted, user-supplied builder images. An attacker with sufficient Fission privileges to register or modify builder environments can exploit this to read the mounted token and authenticate directly to the Kubernetes API using the fission-builder service account's RBAC permissions. No public exploit identified at time of analysis; vendor-released patch is available in v1.24.0.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-50564 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Environment CRD write access to escape the container sandbox and reach node- or cluster-level privileges by setting unfiltered fields in spec.runtime.podSpec or spec.builder.podSpec. Because the fission-executor and fission-builder service accounts schedule pods on the tenant's behalf, attacker-controlled values for hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName are merged into pod specs without validation. No public exploit identified at time of analysis, but the patch's hardening scope (also closing GHSA-wmgg-3p4h-48x7 and GHSA-v455-mv2v-5g92) shows the issue is broader than a single field.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-50563 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Function CRUD permissions to supply an arbitrary Function.spec.podspec that the Container Executor merges into the executor-built podspec, resulting in a Deployment whose pods can break the container sandbox and reach node or cluster level. No public exploit identified at time of analysis, but the upstream fix (PR #3391) explicitly enumerates host namespaces, privileged contexts, hostPath mounts, service account overrides, and dangerous Linux capabilities as the abused fields. CVSS 9.9 with scope change (S:C) reflects that a low-privilege tenant can pivot beyond its own RBAC boundary.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-50545 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environment custom resources to abuse unvalidated podSpec passthrough fields (Environment.spec.runtime.podSpec and spec.builder.podSpec), causing MergePodSpec to propagate dangerous fields - notably AutomountServiceAccountToken - into the generated builder/runtime pods. Because the fission-builder ServiceAccount token then becomes accessible from a user-supplied container, an attacker can pivot from a Fission tenant into broader Kubernetes cluster privileges (CVSS 9.9, Scope:Changed). No public exploit identified at time of analysis.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-49824 Go HIGH PATCH GHSA This Week

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an authenticated tenant with permission to create Function objects in their own namespace to reference an Environment in a different namespace, because the admission webhook in pkg/webhook/function.go validated namespace equality only for secrets and configmaps, not for spec.environment.namespace. An attacker can pivot across Kubernetes namespace boundaries and pull in environment configuration belonging to other tenants (CVSS 8.5, scope-changed, high confidentiality impact). No public exploit identified at time of analysis, though the upstream fix and full patch diff are publicly available on GitHub.

Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-47701 Go HIGH PATCH GHSA This Week

Service account token disclosure in OpenTelemetry Operator's TargetAllocator (versions prior to 0.152.0) allows a tenant with ServiceMonitor write permissions in a watched namespace to exfiltrate the OpenTelemetry Collector pod's mounted Kubernetes service account JWT or any other file on the Collector's filesystem. By setting the bearerTokenFile field on a ServiceMonitor to an arbitrary path (such as /var/run/secrets/kubernetes.io/serviceaccount/token) and pointing the scrape target to an attacker-controlled endpoint, the Collector reads the file and ships its contents as an Authorization: Bearer header on every scrape interval. No public exploit is identified at the time of analysis, though the technique mirrors a well-known Prometheus Operator primitive (ArbitraryFSAccessThroughSMs).

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-49823 Go HIGH PATCH GHSA This Week

Cross-namespace access control bypass in Fission prior to 1.24.0 allows an authenticated tenant to reference Package objects belonging to other Kubernetes namespaces because the admission webhook validated namespaces for Secret and ConfigMap references but omitted the equivalent check for PackageRef.Namespace. A low-privileged user with rights to create Function objects in their own namespace can therefore reach Package contents in arbitrary namespaces, producing a scope-changing confidentiality breach (CVSS 7.7, S:C, C:H). No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-49822 Go HIGH PATCH GHSA This Week

Cross-namespace information disclosure in Fission prior to 1.24.0 allows a low-privilege developer with namespace-scoped permissions to create a KubernetesWatchTrigger (KWT) that establishes a persistent watch channel against Kubernetes resources in any other namespace, breaking the platform's tenancy boundary. The flaw stems from missing namespace-equality enforcement in the kubewatcher controller, which honored an attacker-supplied Spec.Namespace value and even treated an empty value as cluster-wide visibility. No public exploit identified at time of analysis, but the upstream fix (PR #3379, merged into v1.24.0) and detailed advisory GHSA-gc3j-79f2-7vvw confirm the defect class.

Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-49821 Go HIGH PATCH GHSA This Week

Cross-namespace package reference flaw in Fission prior to version 1.24.0 allows an authenticated tenant to point a Package CRD at an Environment in another namespace, because the buildermgr controller never verified that Package.spec.environment.namespace matched Package.metadata.namespace. With CVSS 7.7 and a scope-changed confidentiality impact, a low-privileged user in one namespace can cause the controller to read and build against environment resources belonging to other tenants. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-53474 MEDIUM This Month

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools .xlsx file whose cluster-name cells are interpolated unsanitized into DuckDB queries, enabling arbitrary file reads on the host. Because the tool runs as a SaaS migration assessment service, leaked Kubernetes service account tokens or other credentials can pivot to full environment compromise. No public exploit identified at time of analysis, but an upstream fix is available via PR #1231.

SQLi Kubernetes Migration Assessment
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32193 HIGH PATCH NEWS This Week

Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path traversal flaw (CWE-22) that allows an authorized attacker on the local system to break out of restricted directory boundaries and execute code with elevated privileges. The CVSS 3.1 score of 8.8 reflects the scope change (S:C) where exploitation impacts resources beyond the vulnerable component, enabling full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.

Microsoft Kubernetes Path Traversal Azure Kubernetes Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-46389 CRITICAL PATCH Act Now

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows remote unauthenticated attackers to obtain OAuth2 tokens for any Keycloak client using the client-kubernetes-secret authenticator by submitting an arbitrary client_secret value. A logic flaw in the custom authenticator overwrites the submitted secret with the mounted Kubernetes secret prior to comparison, rendering the comparison meaningless. With EPSS at 0.04% there is no public exploit identified at time of analysis, but the SSVC technical impact is rated total and exploitation is automatable, making this a high-priority patch for UDS Core operators.

Authentication Bypass Kubernetes Uds Identity Config
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-47250 npm MEDIUM PATCH GHSA This Month

Argument injection in the kubectl_generic tool of mcp-server-kubernetes (npm, ≤ 3.6.2) enables Kubernetes bearer token exfiltration through indirect prompt injection, allowing privilege escalation to the operator's full RBAC permissions. An attacker with limited cluster access plants a crafted JSON payload in pod log output; when an AI agent using the MCP server reads those logs and follows the injected instruction, kubectl_generic calls kubectl with attacker-controlled --server and --insecure-skip-tls-verify flags, forwarding the operator's kubeconfig bearer token to an attacker-controlled HTTPS endpoint. A fully working public PoC exists confirmed end-to-end on a live kind cluster using Claude Haiku; the fix is available in version 3.7.0. No active exploitation per CISA KEV is confirmed at time of analysis.

OpenSSL Python Privilege Escalation Kubernetes Node.js
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45726 Go HIGH PATCH GHSA This Week

Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users with the low-privileged Reader role to read the ImportedClusterSecrets resource and exfiltrate the full CA private key bundle (Kubernetes, etcd, Talos, and service-account keys) of imported Talos clusters whose secrets have not been rotated. With those keys, attackers can mint cluster-admin certificates and seize complete control of the downstream cluster outside Omni's control plane. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-45730 Go HIGH PATCH GHSA This Week

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Functions, APIGateways, and FunctionEvents. The write paths construct PermissionOptions without setting MemberIds, causing the platform-layer FilterProjectsByPermissions to short-circuit and skip OPA enforcement entirely. Publicly available exploit code exists (detailed working PoC in the advisory), and the issue is fixed in Nuclio 1.16.0 via PR #4107.

Authentication Bypass Python Docker Kubernetes
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-44182 PyPI CRITICAL PATCH GHSA Act Now

YAML injection in Jupyter Enterprise Gateway prior to 3.3.0 allows attackers controlling KERNEL_* environment variables submitted via the /api/kernels endpoint to manipulate Kubernetes manifest rendering, escalating to privileged pod creation and full cluster compromise. The Jinja2 template at kernel-pod.yaml.j2 interpolates untrusted values without YAML-aware escaping, allowing both key overwrites (e.g., securityContext) and multi-document YAML injection to spawn arbitrary Pods, Secrets, PVCs, PVs, Services, and ConfigMaps. A detailed proof-of-concept is published in the GHSA advisory, though no CISA KEV listing or in-the-wild exploitation has been confirmed at time of analysis.

Kubernetes Nginx RCE
NVD GitHub
EPSS
0.1%
CVE-2026-44181 PyPI CRITICAL PATCH GHSA Act Now

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to execute arbitrary Python code and OS commands in the Enterprise Gateway pod by injecting Jinja2 expressions into KERNEL_XXX environment variables sent via the kernel-creation API. Successful exploitation yields the gateway's Kubernetes service account token, which (per the published PoC RBAC dump) carries cluster-impacting verbs over pods, secrets, and persistent volumes - providing a realistic path to full Kubernetes cluster compromise. A working PoC is published in the GHSA advisory (GHSA-f49j-v924-fx9w); no CISA KEV listing at time of analysis.

Kubernetes Python Ssti RCE
NVD GitHub
EPSS
0.9%
CVE-2026-44180 PyPI CRITICAL PATCH GHSA Act Now

Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers to launch Jupyter kernels as root (UID/GID 0) by appending whitespace to the KERNEL_UID or KERNEL_GID values, bypassing the EG_PROHIBITED_UIDS/GIDS protection. The flaw chains with Kubernetes hostPath volume mounts to enable container escape and worker-node compromise, with publicly available exploit code (PoC) documented in the GHSA advisory; no public exploitation identified at time of analysis.

Kubernetes RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-10533 MEDIUM This Month

OpenShift Container Platform exposes a resource exhaustion path where low-privileged authenticated users with pod creation rights can trigger cluster-wide API server degradation by exploiting two quota enforcement gaps: completed pods with restartPolicy:Never are excluded from ResourceQuota pod limits, and Kubernetes events are not quota-scoped. By repeatedly creating such short-lived pods, an attacker causes Kubernetes events to accumulate unboundedly in etcd, degrading API server performance across the entire cluster - a scope change (CVSS S:C) that extends impact well beyond the attacker's own namespace. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Kubernetes
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-10101 MEDIUM This Month

Pull-secret credential exposure in Red Hat Advanced Cluster Management (ACM) and Multicluster Engine (MCE) assisted-service leaks the full contents of a referenced pull-secret - including username, password, email, and base64-encoded auth token - into the publicly-readable `InfraEnv.status.conditions[].message` field when pull-secret validation fails. A low-privileged namespace principal holding the stock Kubernetes `view` ClusterRole, which is explicitly denied direct `get`/`list` on Secret objects, can recover the entire `.dockerconfigjson` credential payload by reading InfraEnv status. This constitutes a confirmed RBAC bypass (CWE-201) demonstrated via a reproduced proof-of-concept; no active exploitation via CISA KEV has been recorded at time of analysis.

Authentication Bypass Kubernetes
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-22872 Go MEDIUM PATCH GHSA This Month

Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.

Privilege Escalation Information Disclosure Denial Of Service Kubernetes
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-30963 Go LOW PATCH GHSA Monitor

Namespace hijacking in Capsule (Kubernetes multi-tenancy operator) prior to v0.13.0 allows an authenticated tenant administrator to reassign any namespace to their own tenant by patching it through the namespace/status or namespace/finalize subresource APIs, which bypass Capsule's ValidatingWebhookConfiguration enforcement entirely. The webhook intercepts direct namespace modifications but omits these subresource paths, leaving a gap that an attacker with explicitly delegated RBAC permissions can exploit with a single PATCH request. A complete, working proof-of-concept is publicly available in the GitHub Security Advisory GHSA-2ww6-hf35-mfjm; no CISA KEV listing was identified, indicating no confirmed widespread active exploitation at time of analysis.

Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 3.1
3.9
EPSS
0.0%
CVE-2026-41185 Go MEDIUM PATCH This Month

Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.

Microsoft Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-6720 Go HIGH PATCH GHSA This Week

Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.

Information Disclosure Kubernetes
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-41184 Go MEDIUM PATCH This Month

Calico's install-cni init container leaks live Kubernetes ServiceAccount bearer tokens into pod logs when Canal/Flannel-Calico deployments use the __SERVICEACCOUNT_TOKEN__ placeholder, making the credential readable by any authenticated user with pods/log permission in the calico-node namespace. The exposed token carries patch privileges on pods/status, creating a lateral movement path via annotation-based attacks against cluster workloads. This is a confirmed regression of TTA-2018-001 reported by Tigera; no public exploit has been identified at time of analysis, though upstream patches are available via GitHub.

Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-41045 HIGH PATCH This Week

Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.

Apache SSRF Kubernetes Qsnapper Suse
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-41048 HIGH PATCH This Week

Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.

Apache SSRF Kubernetes Qsnapper
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-44210 Go MEDIUM PATCH GHSA This Month

VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain full read/write access to the host filesystem. All Kata Containers installations prior to commit ffa59ce3aa78 are affected when using the default configuration.toml, which enables the `virtio_fs_extra_args` and `kernel_params` pod annotations out of the box. An attacker crafts a pod with two annotations: one to redirect virtiofsd to serve the host root filesystem (`/`) into the guest VM, and a second to enable the agent debug console - after which the entire host filesystem is accessible from inside the supposedly isolated VM. A fully working proof-of-concept with confirmed output against Kata Containers 3.28.0 on Ubuntu 24.04 has been publicly disclosed; no public exploit confirmed as actively exploited (CISA KEV) at time of analysis.

Ubuntu Kubernetes Gitlab Docker Code Injection +1
NVD GitHub
EPSS
0.1%
CVE-2026-40564 MEDIUM PATCH This Month

Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.

Apache Information Disclosure Kubernetes SSRF Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46680 Go HIGH PATCH GHSA This Week

runAsNonRoot bypass in containerd allows crafted container images to execute as UID 0 despite Kubernetes security policies designed to prevent root execution. The flaw stems from containerd treating numeric USER directives that overflow a 32-bit integer as usernames, and if the image's /etc/passwd maps that string to root, the container runs as root. No public exploit identified at time of analysis, but the issue was responsibly disclosed by Lei Wang (@ssst0n3) and fixed in multiple containerd release branches.

Memory Corruption Kubernetes Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-46519 npm HIGH PATCH GHSA This Week

Authorization bypass in mcp-server-kubernetes versions prior to 3.6.0 allows authenticated clients to invoke any Kubernetes tool - including destructive operations like kubectl_delete, exec_in_pod, and node_management - regardless of ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, or ALLOWED_TOOLS restrictions. The controls were enforced only at the tools/list discovery layer, leaving tools/call unguarded, which effectively reduces operator-configured least-privilege policies to cosmetic filters. Publicly available exploit code exists (a single curl invocation reproduces it), and in cluster-admin deployments the flaw is equivalent to full cluster compromise for any client reaching the endpoint.

Kubernetes Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-46617 Go HIGH PATCH GHSA This Week

Privilege escalation in Fission (Kubernetes serverless framework) versions <= 1.22.0 allows any user able to deploy or update a Function CRD to read every Secret and ConfigMap in the runtime namespace, bypassing the Function.spec.secrets allowlist. The flaw stems from runtime pods running under the namespace-privileged fission-fetcher ServiceAccount whose automounted token is reachable by the user-code container alongside the fetcher sidecar. No public exploit identified at time of analysis, but the vendor-issued advisory (GHSA-85g2-pmrx-r49q) describes a trivially reachable abuse path once a function can be deployed.

Kubernetes Privilege Escalation
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-46612 Go HIGH PATCH GHSA This Week

Unauthenticated archive CRUD in Fission's storagesvc (≤ v1.22.0) lets any in-cluster workload list, download, replace, or delete function deployment archives across all tenants by hitting the ClusterIP-exposed /v1/archive and /v1/archives endpoints. Because uploaded archives are later fetched and executed by function specialization, the flaw escalates from a tenant data-exposure issue to in-cluster code execution. No public exploit identified at time of analysis, but the trivial HTTP pattern and lack of auth middleware make weaponization straightforward for any attacker with a foothold pod.

Kubernetes Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-46432 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in InternLM lmdeploy <= 0.12.3 occurs because trust_remote_code=True is hardcoded across HuggingFace model-loading call sites in lmdeploy/archs.py and lmdeploy/utils.py. An attacker who can influence the model_path passed to an lmdeploy serving process can point it at a malicious HuggingFace repository, causing Transformers to download and execute attacker-controlled Python code with the privileges of the serving daemon. Publicly available exploit code exists in the GHSA advisory, and an upstream fix has been merged via PR #4511 (fixed in 0.13.0).

Kubernetes Code Injection RCE Denial Of Service Python
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45760 Go PATCH GHSA Monitor

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Kubernetes Apache Authentication Bypass Apache Camel K
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-27173 PyPI HIGH PATCH GHSA This Week

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

Kubernetes Information Disclosure Apache Airflow Cncf Kubernetes Provider
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-45738 Go HIGH PATCH GHSA This Week

Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.

Kubernetes XSS Privilege Escalation
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-45737 Go MEDIUM PATCH GHSA This Month

Information disclosure in Argo CD v3.x exposes plaintext Kubernetes Secret values to authenticated users who can view application diffs via the ServerSideDiff feature. This is an incomplete fix for a prior vulnerability (GHSA-3v3m-wc6v-x4x3): the original patch masked top-level Secret data in ServerSideDiff responses but failed to sanitize Secret content embedded in the `kubectl.kubernetes.io/last-applied-configuration` annotation on `predictedLive` objects, leaving raw `data`, `stringData`, and sensitive annotation values readable in UI and CLI diff output. A publicly available proof-of-concept exists; no KEV listing is present at time of analysis, but the Changed Scope (S:C) in the CVSS vector indicates that exposed secrets may belong to workloads beyond the Argo CD application boundary, amplifying real-world impact in multi-tenant environments.

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-45553 PyPI HIGH PATCH GHSA This Week

Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.

Information Disclosure Kubernetes Python Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVSS 4.3
MEDIUM This Month

{NAMESPACE}/{NAME} cross-namespace annotation syntax are both intentional design choices; this vulnerability represents an unimplemented security feature rather than a coding bug, and is categorized as CWE-668. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, multi-tenant Kubernetes clusters relying on namespace isolation as a trust boundary are the exclusive impact surface.

Kubernetes Information Disclosure
NVD GitHub
LOW POC PATCH Monitor

ToolHive's hand-maintained SSRF guard (`networking.IsPrivateIP`) omits IPv6 NAT64 prefixes `64:ff9b::/96` (RFC 6052) and `64:ff9b:1::/48` (RFC 8215), allowing addresses like `64:ff9b:1::a9fe:a9fe` - the NAT64 encoding of the cloud metadata endpoint `169.254.169.254` - to be misclassified as globally routable and pass unchecked. On ToolHive deployments behind a NAT64/DNS64 gateway (the default in IPv6-only Kubernetes clusters and several IPv6-only cloud environments), an unauthenticated attacker can submit a crafted OAuth `client_id` URL that causes ToolHive's CIMD fetcher to dial internal or link-local addresses the guard is intended to block, achieving a blind internal-reachability oracle. Practical impact is limited to TCP/TLS connection probing rather than credential exfiltration due to HTTPS-only enforcement and TLS verification on the attacker-controlled path; a complete proof-of-concept is publicly available in the vendor advisory, and no public exploit identified at time of analysis as a KEV-listed active campaign.

Kubernetes Microsoft SSRF +1
NVD GitHub
CVSS 5.4
MEDIUM PATCH This Month

Network policy bypass in Cilium 1.19.0-1.19.4 allows workloads inside a Kubernetes namespace to reach peers that CIDR-based ipBlock NetworkPolicies should block. The flaw surfaces exclusively when Cilium is deployed with a custom clusterName (any value other than the default 'any'): the network-policy parser in parseNetworkPolicyPeer erroneously instantiates an empty pod selector for selectorless ipBlock peers, which compiles into a wildcard namespace-allow rule instead of a pure CIDR rule. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Kubernetes Cilium
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.

Nginx Kubernetes Code Injection +1
NVD
HIGH PATCH This Week

Privilege escalation in Woodpecker CI (v1.0.0 through v3.15.0) running the Kubernetes backend lets any user with Push permission on a connected repository set the pipeline pod's serviceAccountName to an arbitrary ServiceAccount in the pipeline namespace, inheriting its RBAC rights. Because the option was passed straight to the pod spec with no admin gating, a low-privilege contributor can pivot to a privileged ServiceAccount and exfiltrate secrets (DB credentials, API keys, TLS certs) or take over the cluster. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the fix is available in v3.16.0 via a default-off gating flag.

Kubernetes Privilege Escalation
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote denial of service in StacklokLabs MKP (Model Context Protocol for Kubernetes) server versions before 0.4.1 lets a single crafted `tools/call` request against the default `:8080` endpoint exhaust process memory. The `get_resource` tool accepts attacker-controlled `limitBytes`/`tailLines` values with no upper bound and streams the entire Kubernetes pod-log response into an in-memory `bytes.Buffer`, driving an OOM kill (dynamic reproduction grew RSS from 25.8 MB to 1,179.3 MB on one request). Publicly available exploit code exists in the GitHub Security Advisory; there is no public evidence of active exploitation.

Docker Kubernetes Denial Of Service +1
NVD GitHub
HIGH PATCH This Week

Unauthenticated arbitrary file write in OpenCost (all versions up to and including releases before 1.119.1) lets remote clients POST to the /serviceKey endpoint and overwrite the GCP service account key file (key.json) with attacker-controlled content, with no authentication and no input validation. An attacker can either corrupt the credential file to break GCP cost collection or inject their own valid service-account key to redirect the target's billing/cost data to an attacker-owned GCP project. Publicly available exploit code exists (a full reproducible PoC is in the GHSA advisory); no public evidence of active exploitation and no CISA KEV listing.

Privilege Escalation Authentication Bypass Kubernetes +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Information disclosure with integrity impact in the Spotfire Server modules of Spotfire Enterprise, Spotfire Enterprise with External Consumers, and Spotfire on Kubernetes allows a remote, unauthenticated attacker to obtain sensitive data and alter server-side state once a victim is lured into a passive interaction (UI:P), such as opening a crafted link or analysis. The CVSS 4.0 base score is 8.7 (High) with high confidentiality and integrity impact and low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

Kubernetes Information Disclosure Spotfire Enterprise +2
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE +5
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.

Authentication Bypass Kubernetes Mcp Server Kubernetes
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.

Authentication Bypass SSRF Kubernetes
NVD
HIGH POC PATCH This Week

Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.

Kubernetes Hashicorp SSRF +7
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 3.8
LOW Monitor

Privilege escalation in VMware Pinniped's Kubernetes authentication layer allows an attacker who already controls Active Directory group distinguished names to gain elevated Kubernetes RBAC permissions beyond their legitimate entitlements. The flaw affects Pinniped v0.11.0 through v0.46.0 when the Supervisor is configured with an ActiveDirectoryIdentityProvider and a specific empty groupName attribute, and only when an attacker simultaneously holds write access to AD group entries and valid AD user credentials. No public exploit code exists and this is not listed in CISA KEV; the vendor CVSS score of 3.8 (Low) reflects the highly constrained exploitation prerequisites.

Kubernetes Information Disclosure Pinniped
NVD GitHub
CVSS 10.0
CRITICAL POC PATCH Act Now

OS command injection in Nuclio (serverless platform) versions <= 1.15.27 lets attackers run arbitrary shell commands as root inside Kubernetes CronJob pods by submitting a function with a crafted cron trigger. The controller concatenates unsanitized `event.headers` keys and `event.body` values into a `/bin/sh -c` curl string; a header key containing a double-quote breaks quoting, and a body containing `$()` triggers command substitution (strconv.Quote does not escape it). Because the Nuclio Dashboard API is unauthenticated in its default configuration, this is remotely reachable; no public exploit is identified in KEV, though a detailed, dynamically-verified PoC accompanies the advisory.

Python Kubernetes Microsoft +3
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.

Authentication Bypass Kubernetes Docker +1
NVD GitHub VulDB
CVSS 4.3
MEDIUM POC PATCH This Month

Cluster-level RBAC bypass in Kite (github.com/zxh326/kite) v0.12.2 allows any authenticated user to retrieve aggregate inventory and capacity data from Kubernetes clusters they are not authorized to access. By supplying an arbitrary cluster name in the `x-cluster-name` header, a low-privileged user scoped to one cluster can enumerate node counts, pod counts, namespace counts, service counts, and CPU/memory resource totals from other configured clusters. No public exploit identified at time of analysis, though the reporter provided and validated a working Go proof-of-concept test demonstrating the bypass.

Authentication Bypass Kubernetes
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the exposed function is an administrative/portal API reachable over the network with no credentials, successful access could lead to disclosure or manipulation of portal content and configuration.

Authentication Bypass Kubernetes Microsoft +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten-password recovery mechanism (CWE-640) that a remote, unauthenticated attacker can manipulate to assume ownership of another user's account. The flaw carries a CVSS 9.8 rating because it is network-reachable with no authentication or user interaction, yielding full compromise of confidentiality, integrity, and availability of the targeted account. There is no public exploit identified at time of analysis and EPSS is low (0.22%, 13th percentile), and CISA's SSVC framework records exploitation as none, indicating no observed in-the-wild activity despite the critical score.

Authentication Bypass Kubernetes Microsoft +1
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.

Authentication Bypass Kubernetes Traefik
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Authenticated denial of service in Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4 allows any user holding a valid API token to exhaust Central's resources. Because Central does not cap the nesting depth of queries served on its authenticated GraphQL API, a single deeply nested query can drive excessive CPU and memory consumption and take down the RHACS management plane. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the low-privilege network vector makes it trivial for any token holder to trigger.

Kubernetes Red Hat Denial Of Service +1
NVD
CVSS 7.1
HIGH PATCH This Week

Arbitrary CWD-file read and inode-tampering in the oras-go v2 content/file tar extractor allows an attacker who controls an OCI artifact to hardlink files from the pulling process's working directory into the extract tree. When a victim runs 'oras pull' (or any Go program using oras-go/v2/content/file) against a malicious layer marked with the io.deis.oras.content.unpack annotation, the flawed ensureLinkPath helper validates a resolved hardlink target but passes the original relative Linkname to os.Link, causing link(2) to resolve it against the process CWD instead of the extract base. Publicly available exploit code exists (detailed PoC and regression test in the advisory); this is not listed in CISA KEV and no active exploitation is confirmed.

Linux Ubuntu Path Traversal +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege-escalation via admission-control bypass in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to overwrite Pod Security Standards (PSS) enforcement labels on target namespaces. Because Fleet's agent-side deployer failed to filter security-sensitive keys (notably the `pod-security.kubernetes.io/` prefix) from `namespaceLabels` in `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels`, an attacker can downgrade namespace admission enforcement and deploy privileged or otherwise restricted workloads that PSS would normally block. No public exploit identified at time of analysis; the flaw was privately reported through responsible disclosure by a NATO NCSC researcher and is not listed in CISA KEV.

Kubernetes Information Disclosure
NVD GitHub VulDB
CVSS 8.7
HIGH PATCH This Week

Server-Side Request Forgery in Sigstore Fulcio (before v1.8.6) lets a compromised or malicious OIDC issuer redirect the OIDC Discovery client's metadata fetches to attacker-chosen hosts, enabling blind SSRF against internal systems, poisoning of the verifier cache via a substituted jwks_uri so forged signatures validate, and leakage of the in-cluster Kubernetes ServiceAccount token to third-party hosts. Unauthenticated remote attackers who control a configured (or wildcard-matched) issuer can chain these into trust compromise of the certificate authority. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SSRF Kubernetes
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Authentication bypass in SUSE Rancher's in-cluster admission webhook (rancher-webhook) lets a network-adjacent, unauthenticated attacker forge FleetWorkspace admission payloads so that workspace-related Kubernetes objects are created with attacker-chosen identity data. Affected releases span Rancher 0.7.0–0.7.10, 0.8.0–0.8.7, 0.9.0–0.9.6 and 0.10.0–0.10.7, with integrity impact but no direct confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is documented in SUSE/Rancher advisory GHSA-h83p-cq95-vph4.

Authentication Bypass Kubernetes Rancher
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.

PostgreSQL Kubernetes Privilege Escalation +1
NVD GitHub VulDB
CVSS 6.3
MEDIUM POC PATCH This Month

Server-Side Request Forgery in Netflix Lemur's certificate verification pipeline allows an authenticated operator-role user to force the Lemur host to issue outbound HTTP requests to arbitrary internal destinations by uploading a crafted certificate whose CRL Distribution Point or OCSP responder extensions point to RFC1918 addresses, link-local endpoints (169.254.169.254), internal Kubernetes API servers, or loopback interfaces. Both `crl_verify` and `ocsp_verify` in `lemur/certificates/verify.py` pass attacker-controlled URLs directly to network sinks with no destination allow-list, scheme restriction beyond LDAP rejection, or private-address filtering. No public exploit confirmed in CISA KEV, but detailed proof-of-concept reproduction steps are published in the GitHub Security Advisory GHSA-54vg-pfh7-jq95; vendor-released patch v1.9.2 is available.

OpenSSL SSRF Python +1
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Arbitrary filesystem write via zip-slip in K3s etcd snapshot restoration affects all K3s versions prior to 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. A maliciously crafted zip archive with path-traversal entries in member filenames (e.g., '../../etc/cron.d/evil') can overwrite arbitrary files on the host filesystem when an administrator performs a compressed etcd snapshot restore. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Path Traversal Kubernetes K3S
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. The condition was reported by multiple production Cilium/Kubernetes operators; there is no public exploit identified at time of analysis and EPSS is very low (0.10%, 1st percentile).

Linux Kubernetes Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.

Kubernetes SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.

Kubernetes Docker RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python +3
NVD GitHub
LOW PATCH Monitor

Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.

RCE Denial Of Service Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.

Nginx Kubernetes Denial Of Service +3
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion via maliciously crafted container image in containerd causes an OOM kill of the containerd process, rendering the container runtime API unavailable and disrupting orchestration layers including Docker Engine and Kubernetes control-plane components. CVE-2026-47262 is rated Moderate by the containerd project - lower than the four co-patched Critical/High CVEs - and is fixed across the full active supported release tree in versions 2.3.2, 2.2.5, 2.1.9, 2.0.10, and 1.7.33. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Docker Kubernetes Denial Of Service +1
NVD VulDB GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding pod-creation rights, who restores a container from a maliciously crafted checkpoint image. The CRI restore path trusts Container Device Interface (CDI) annotations embedded in untrusted checkpoint metadata instead of the pod's create-time spec, letting the attacker smuggle arbitrary CDI edits (host device nodes and mounts) into the restored container. It affects containerd v2.1.0-2.1.8, v2.2.0-2.2.4 and v2.3.0-2.3.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Kubernetes Checkpoint Information Disclosure +1
NVD VulDB GitHub
CVSS 5.8
MEDIUM PATCH This Month

Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.

Microsoft Docker Kubernetes +4
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Arbitrary file and environment variable reads on xDS client hosts are possible in Armeria versions 1.38.0 and 1.39.0 via the armeria-xds module's SDS (Secret Discovery Service) implementation. The DataSourceStream class resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any path confinement or allow-listing, enabling a compromised or semi-trusted xDS control plane - or an attacker who can MITM unprotected SDS gRPC streams - to extract TLS private keys, Kubernetes service-account tokens, cloud credential files, and environment variables such as AWS_SECRET_ACCESS_KEY. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the confused-deputy pattern and Kubernetes deployment context make it a high-priority upgrade for affected users.

Kubernetes Java Code Injection
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

Path traversal and query-string injection in the OpenTelemetry Collector Contrib Sentry exporter allows any OTLP span sender to redirect the collector's operator bearer token to arbitrary Sentry API endpoints - including privileged admin, organization, and member management endpoints. The vulnerability stems from the `service.name` span attribute being interpolated directly into Sentry API URLs via `fmt.Sprintf` without validation, while the existing `projectSlugRegexp` safeguard is only applied to operator-configured mappings and never to runtime-derived slugs. No CISA KEV listing exists at time of analysis, but the GHSA advisory provides detailed exploitation steps demonstrating both a universally reliable query-string injection vector and a nginx-dependent path traversal vector, with a fixed version available at 0.154.0.

Path Traversal Nginx Kubernetes
NVD GitHub
CVSS 5.7
MEDIUM PATCH This Month

Namespace tenant-label hijack in Capsule v0.13.0-0.13.5 allows an authenticated Kubernetes user with namespaces/finalize RBAC permission to bypass the validating admission webhook and overwrite tenant isolation labels via the finalize subresource. The root cause is a one-character typo in the Helm chart configuration - `namespace/finalize` (singular) instead of `namespaces/finalize` (plural) - rendering the CVE-2026-30963 patch in v0.13.2 entirely ineffective. Publicly available exploit code (PoC) exists and has been confirmed on a kind cluster running Capsule v0.13.2; no active exploitation has been confirmed by CISA KEV.

Authentication Bypass Kubernetes
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Traefik's Kubernetes Gateway provider exposes internal services (`api@internal`, `dashboard@internal`, `rest@internal`) on the data plane due to a namespace allowlist check evaluated against the wrong variable in multi-backendRef (WRR) HTTPRoute rules. Operators who configured `crossProviderNamespaces` to restrict which namespaces may reference cross-provider `TraefikService` backends find that restriction entirely bypassed for routes with two or more backendRefs, allowing an unprivileged route namespace to expose the Traefik API unauthenticated on the normal web entrypoint. A fully functional end-to-end proof-of-concept was included in the disclosure; no public exploit identifier at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Kubernetes Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.

Python Kubernetes SSRF +3
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Mutual-TLS bypass in Traefik v3.7.0 and v3.7.1 lets unauthenticated remote attackers reach backends protected by wildcard-router `TLSOptions` (for example `Host("*.example.com")` with `RequireAndVerifyClientCert`). The `SNICheck` domain-fronting middleware resolves TLS options for the HTTP `Host` header via exact map lookups only, so an attacker completing the TLS handshake under a permissive SNI on the same entrypoint can then send a `Host` header for the wildcard-protected backend and skip the client-certificate requirement. Publicly available exploit code exists in the GitHub Security Advisory PoC; this is independent of the prior HTTP/3 mTLS issue.

Kubernetes OpenSSL Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

{team}/join), exploiting the fact that text/plain Content-Type does not trigger a CORS preflight check. In CTF deployments this allows score inflation by forcing victims to solve Juice Shop challenges credited to the attacker's team; any sensitive data entered by the victim is also captured in the attacker's Juice Shop instance. No public exploit identified at time of analysis, and a vendor-released patch is available in version 10.0.1.

CSRF Kubernetes Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.

Grafana Path Traversal Kubernetes +2
NVD VulDB GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deployment annotation-edit rights to coerce the high-privilege controller into deleting another tenant's container resource by injecting a forged radapp.io/status JSON blob. The flaw is a classic Confused Deputy (CWE-441/CWE-20) that yields an availability-only impact, is most severe in multi-tenant installs, and currently has publicly available exploit code via the GHSA advisory but no public exploit identified at time of analysis in CISA KEV.

Privilege Escalation Nginx Kubernetes
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows a tenant with permission to create Function or Environment CRDs to obtain CAP_SYS_TIME inside function/runtime containers by bypassing an incomplete capability denylist in the ValidatePodSpecSafety admission webhook. The denylist only blocked six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE) and omitted CAP_SYS_TIME and others, letting tenant-controlled code modify the container's system clock. No public exploit identified at time of analysis, but the upstream patch and CRD diff are publicly visible in fission/fission PR #3465.

Privilege Escalation Kubernetes
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Input validation bypass in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows authenticated users with Kubernetes API access to create HTTPTrigger resources with malformed or unsafe URL paths, achieving low-integrity routing manipulation. The RelativeURL and Prefix fields in HTTPTriggerSpec were validated only at the Fission CLI layer; when the post-CRD-modernization admission webhook was retired in favor of API-server CEL, no CEL rules were authored for those two fields - leaving a complete gap exploitable via kubectl apply or direct Kubernetes REST API calls. No public exploit code exists and this CVE is not listed in CISA KEV, but the bypass is straightforward for any cluster user with HTTPTrigger create rights.

Authentication Bypass Kubernetes
NVD GitHub
EPSS 0% CVSS 3.6
LOW PATCH Monitor

Path traversal in Fission's SanitizeFilePath function (pkg/utils/utils.go) allows a low-privileged tenant to read or write files outside an intended safe directory on a shared Kubernetes volume. Versions prior to 1.25.0 validated directory confinement using strings.HasPrefix, which performs a purely lexical string comparison: a sibling path such as /packages-extra/evil incorrectly passes a check for the safe directory /packages because it satisfies the string prefix condition without a directory-separator boundary. The builder's Clean handler and the fetcher's Fetch and Upload handlers were all affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in Fission Kubernetes serverless framework prior to version 1.25.0 allows authenticated tenants to write files outside the intended extraction directory by submitting a crafted package archive. The fetcher sidecar (fission-fetcher) processes attacker-controlled Package.Spec.Source.URL or Deployment.URL archives via Unarchive in pkg/utils/zip.go, where filepath.Join was used without verifying the resolved path stayed under the destination, enabling cross-tenant file overwrite, tampering with mounted secret/config volumes, or overwriting the fetcher binary itself. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RBAC to define Environment custom resources with privileged, allowPrivilegeEscalation, or dangerous Linux capabilities on the bare Runtime.Container or Builder.Container fields, which bypass the existing PodSpec safety validator and get scheduled under the executor's high-privilege service account. Successful abuse enables container-sandbox escape, host filesystem and network access, and node- or cluster-level compromise. No public exploit identified at time of analysis, but the upstream fix is published in v1.24.0.

Privilege Escalation Kubernetes Fission
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Kubernetes service account token exposure in Fission serverless framework prior to v1.24.0 allows authenticated high-privilege users to escalate cluster privileges via a malicious builder image. Builder pods were created with ServiceAccountName set to fission-builder but without AutomountServiceAccountToken: false, causing the Kubernetes kubelet to automatically inject the fission-builder service account credential into every container in the pod - including untrusted, user-supplied builder images. An attacker with sufficient Fission privileges to register or modify builder environments can exploit this to read the mounted token and authenticate directly to the Kubernetes API using the fission-builder service account's RBAC permissions. No public exploit identified at time of analysis; vendor-released patch is available in v1.24.0.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Environment CRD write access to escape the container sandbox and reach node- or cluster-level privileges by setting unfiltered fields in spec.runtime.podSpec or spec.builder.podSpec. Because the fission-executor and fission-builder service accounts schedule pods on the tenant's behalf, attacker-controlled values for hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName are merged into pod specs without validation. No public exploit identified at time of analysis, but the patch's hardening scope (also closing GHSA-wmgg-3p4h-48x7 and GHSA-v455-mv2v-5g92) shows the issue is broader than a single field.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Function CRUD permissions to supply an arbitrary Function.spec.podspec that the Container Executor merges into the executor-built podspec, resulting in a Deployment whose pods can break the container sandbox and reach node or cluster level. No public exploit identified at time of analysis, but the upstream fix (PR #3391) explicitly enumerates host namespaces, privileged contexts, hostPath mounts, service account overrides, and dangerous Linux capabilities as the abused fields. CVSS 9.9 with scope change (S:C) reflects that a low-privilege tenant can pivot beyond its own RBAC boundary.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environment custom resources to abuse unvalidated podSpec passthrough fields (Environment.spec.runtime.podSpec and spec.builder.podSpec), causing MergePodSpec to propagate dangerous fields - notably AutomountServiceAccountToken - into the generated builder/runtime pods. Because the fission-builder ServiceAccount token then becomes accessible from a user-supplied container, an attacker can pivot from a Fission tenant into broader Kubernetes cluster privileges (CVSS 9.9, Scope:Changed). No public exploit identified at time of analysis.

Privilege Escalation Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an authenticated tenant with permission to create Function objects in their own namespace to reference an Environment in a different namespace, because the admission webhook in pkg/webhook/function.go validated namespace equality only for secrets and configmaps, not for spec.environment.namespace. An attacker can pivot across Kubernetes namespace boundaries and pull in environment configuration belonging to other tenants (CVSS 8.5, scope-changed, high confidentiality impact). No public exploit identified at time of analysis, though the upstream fix and full patch diff are publicly available on GitHub.

Authentication Bypass Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Service account token disclosure in OpenTelemetry Operator's TargetAllocator (versions prior to 0.152.0) allows a tenant with ServiceMonitor write permissions in a watched namespace to exfiltrate the OpenTelemetry Collector pod's mounted Kubernetes service account JWT or any other file on the Collector's filesystem. By setting the bearerTokenFile field on a ServiceMonitor to an arbitrary path (such as /var/run/secrets/kubernetes.io/serviceaccount/token) and pointing the scrape target to an attacker-controlled endpoint, the Collector reads the file and ships its contents as an Authorization: Bearer header on every scrape interval. No public exploit is identified at the time of analysis, though the technique mirrors a well-known Prometheus Operator primitive (ArbitraryFSAccessThroughSMs).

Information Disclosure Kubernetes
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-namespace access control bypass in Fission prior to 1.24.0 allows an authenticated tenant to reference Package objects belonging to other Kubernetes namespaces because the admission webhook validated namespaces for Secret and ConfigMap references but omitted the equivalent check for PackageRef.Namespace. A low-privileged user with rights to create Function objects in their own namespace can therefore reach Package contents in arbitrary namespaces, producing a scope-changing confidentiality breach (CVSS 7.7, S:C, C:H). No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-namespace information disclosure in Fission prior to 1.24.0 allows a low-privilege developer with namespace-scoped permissions to create a KubernetesWatchTrigger (KWT) that establishes a persistent watch channel against Kubernetes resources in any other namespace, breaking the platform's tenancy boundary. The flaw stems from missing namespace-equality enforcement in the kubewatcher controller, which honored an attacker-supplied Spec.Namespace value and even treated an empty value as cluster-wide visibility. No public exploit identified at time of analysis, but the upstream fix (PR #3379, merged into v1.24.0) and detailed advisory GHSA-gc3j-79f2-7vvw confirm the defect class.

Authentication Bypass Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-namespace package reference flaw in Fission prior to version 1.24.0 allows an authenticated tenant to point a Package CRD at an Environment in another namespace, because the buildermgr controller never verified that Package.spec.environment.namespace matched Package.metadata.namespace. With CVSS 7.7 and a scope-changed confidentiality impact, a low-privileged user in one namespace can cause the controller to read and build against environment resources belonging to other tenants. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools .xlsx file whose cluster-name cells are interpolated unsanitized into DuckDB queries, enabling arbitrary file reads on the host. Because the tool runs as a SaaS migration assessment service, leaked Kubernetes service account tokens or other credentials can pivot to full environment compromise. No public exploit identified at time of analysis, but an upstream fix is available via PR #1231.

SQLi Kubernetes Migration Assessment
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path traversal flaw (CWE-22) that allows an authorized attacker on the local system to break out of restricted directory boundaries and execute code with elevated privileges. The CVSS 3.1 score of 8.8 reflects the scope change (S:C) where exploitation impacts resources beyond the vulnerable component, enabling full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.

Microsoft Kubernetes Path Traversal +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows remote unauthenticated attackers to obtain OAuth2 tokens for any Keycloak client using the client-kubernetes-secret authenticator by submitting an arbitrary client_secret value. A logic flaw in the custom authenticator overwrites the submitted secret with the mounted Kubernetes secret prior to comparison, rendering the comparison meaningless. With EPSS at 0.04% there is no public exploit identified at time of analysis, but the SSVC technical impact is rated total and exploitation is automatable, making this a high-priority patch for UDS Core operators.

Authentication Bypass Kubernetes Uds Identity Config
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Argument injection in the kubectl_generic tool of mcp-server-kubernetes (npm, ≤ 3.6.2) enables Kubernetes bearer token exfiltration through indirect prompt injection, allowing privilege escalation to the operator's full RBAC permissions. An attacker with limited cluster access plants a crafted JSON payload in pod log output; when an AI agent using the MCP server reads those logs and follows the injected instruction, kubectl_generic calls kubectl with attacker-controlled --server and --insecure-skip-tls-verify flags, forwarding the operator's kubeconfig bearer token to an attacker-controlled HTTPS endpoint. A fully working public PoC exists confirmed end-to-end on a live kind cluster using Claude Haiku; the fix is available in version 3.7.0. No active exploitation per CISA KEV is confirmed at time of analysis.

OpenSSL Python Privilege Escalation +2
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users with the low-privileged Reader role to read the ImportedClusterSecrets resource and exfiltrate the full CA private key bundle (Kubernetes, etcd, Talos, and service-account keys) of imported Talos clusters whose secrets have not been rotated. With those keys, attackers can mint cluster-admin certificates and seize complete control of the downstream cluster outside Omni's control plane. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Functions, APIGateways, and FunctionEvents. The write paths construct PermissionOptions without setting MemberIds, causing the platform-layer FilterProjectsByPermissions to short-circuit and skip OPA enforcement entirely. Publicly available exploit code exists (detailed working PoC in the advisory), and the issue is fixed in Nuclio 1.16.0 via PR #4107.

Authentication Bypass Python Docker +1
NVD GitHub
EPSS 0%
CRITICAL PATCH Act Now

YAML injection in Jupyter Enterprise Gateway prior to 3.3.0 allows attackers controlling KERNEL_* environment variables submitted via the /api/kernels endpoint to manipulate Kubernetes manifest rendering, escalating to privileged pod creation and full cluster compromise. The Jinja2 template at kernel-pod.yaml.j2 interpolates untrusted values without YAML-aware escaping, allowing both key overwrites (e.g., securityContext) and multi-document YAML injection to spawn arbitrary Pods, Secrets, PVCs, PVs, Services, and ConfigMaps. A detailed proof-of-concept is published in the GHSA advisory, though no CISA KEV listing or in-the-wild exploitation has been confirmed at time of analysis.

Kubernetes Nginx RCE
NVD GitHub
EPSS 1%
CRITICAL PATCH Act Now

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to execute arbitrary Python code and OS commands in the Enterprise Gateway pod by injecting Jinja2 expressions into KERNEL_XXX environment variables sent via the kernel-creation API. Successful exploitation yields the gateway's Kubernetes service account token, which (per the published PoC RBAC dump) carries cluster-impacting verbs over pods, secrets, and persistent volumes - providing a realistic path to full Kubernetes cluster compromise. A working PoC is published in the GHSA advisory (GHSA-f49j-v924-fx9w); no CISA KEV listing at time of analysis.

Kubernetes Python Ssti +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers to launch Jupyter kernels as root (UID/GID 0) by appending whitespace to the KERNEL_UID or KERNEL_GID values, bypassing the EG_PROHIBITED_UIDS/GIDS protection. The flaw chains with Kubernetes hostPath volume mounts to enable container escape and worker-node compromise, with publicly available exploit code (PoC) documented in the GHSA advisory; no public exploitation identified at time of analysis.

Kubernetes RCE
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM This Month

OpenShift Container Platform exposes a resource exhaustion path where low-privileged authenticated users with pod creation rights can trigger cluster-wide API server degradation by exploiting two quota enforcement gaps: completed pods with restartPolicy:Never are excluded from ResourceQuota pod limits, and Kubernetes events are not quota-scoped. By repeatedly creating such short-lived pods, an attacker causes Kubernetes events to accumulate unboundedly in etcd, degrading API server performance across the entire cluster - a scope change (CVSS S:C) that extends impact well beyond the attacker's own namespace. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Kubernetes
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Pull-secret credential exposure in Red Hat Advanced Cluster Management (ACM) and Multicluster Engine (MCE) assisted-service leaks the full contents of a referenced pull-secret - including username, password, email, and base64-encoded auth token - into the publicly-readable `InfraEnv.status.conditions[].message` field when pull-secret validation fails. A low-privileged namespace principal holding the stock Kubernetes `view` ClusterRole, which is explicitly denied direct `get`/`list` on Secret objects, can recover the entire `.dockerconfigjson` credential payload by reading InfraEnv status. This constitutes a confirmed RBAC bypass (CWE-201) demonstrated via a reproduced proof-of-concept; no active exploitation via CISA KEV has been recorded at time of analysis.

Authentication Bypass Kubernetes
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.

Privilege Escalation Information Disclosure Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 3.9
LOW PATCH Monitor

Namespace hijacking in Capsule (Kubernetes multi-tenancy operator) prior to v0.13.0 allows an authenticated tenant administrator to reassign any namespace to their own tenant by patching it through the namespace/status or namespace/finalize subresource APIs, which bypass Capsule's ValidatingWebhookConfiguration enforcement entirely. The webhook intercepts direct namespace modifications but omits these subresource paths, leaving a gap that an attacker with explicitly delegated RBAC permissions can exploit with a single PATCH request. A complete, working proof-of-concept is publicly available in the GitHub Security Advisory GHSA-2ww6-hf35-mfjm; no CISA KEV listing was identified, indicating no confirmed widespread active exploitation at time of analysis.

Information Disclosure Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.

Microsoft Information Disclosure Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.

Information Disclosure Kubernetes
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Calico's install-cni init container leaks live Kubernetes ServiceAccount bearer tokens into pod logs when Canal/Flannel-Calico deployments use the __SERVICEACCOUNT_TOKEN__ placeholder, making the credential readable by any authenticated user with pods/log permission in the calico-node namespace. The exposed token carries patch privileges on pods/status, creating a lateral movement path via annotation-based attacks against cluster workloads. This is a confirmed regression of TTA-2018-001 reported by Tigera; no public exploit has been identified at time of analysis, though upstream patches are available via GitHub.

Information Disclosure Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.

Apache SSRF Kubernetes +2
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.

Apache SSRF Kubernetes +1
NVD GitHub VulDB
EPSS 0%
MEDIUM PATCH This Month

VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain full read/write access to the host filesystem. All Kata Containers installations prior to commit ffa59ce3aa78 are affected when using the default configuration.toml, which enables the `virtio_fs_extra_args` and `kernel_params` pod annotations out of the box. An attacker crafts a pod with two annotations: one to redirect virtiofsd to serve the host root filesystem (`/`) into the guest VM, and a second to enable the agent debug console - after which the entire host filesystem is accessible from inside the supposedly isolated VM. A fully working proof-of-concept with confirmed output against Kata Containers 3.28.0 on Ubuntu 24.04 has been publicly disclosed; no public exploit confirmed as actively exploited (CISA KEV) at time of analysis.

Ubuntu Kubernetes Gitlab +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.

Apache Information Disclosure Kubernetes +2
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

runAsNonRoot bypass in containerd allows crafted container images to execute as UID 0 despite Kubernetes security policies designed to prevent root execution. The flaw stems from containerd treating numeric USER directives that overflow a 32-bit integer as usernames, and if the image's /etc/passwd maps that string to root, the container runs as root. No public exploit identified at time of analysis, but the issue was responsibly disclosed by Lei Wang (@ssst0n3) and fixed in multiple containerd release branches.

Memory Corruption Kubernetes Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authorization bypass in mcp-server-kubernetes versions prior to 3.6.0 allows authenticated clients to invoke any Kubernetes tool - including destructive operations like kubectl_delete, exec_in_pod, and node_management - regardless of ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, or ALLOWED_TOOLS restrictions. The controls were enforced only at the tools/list discovery layer, leaving tools/call unguarded, which effectively reduces operator-configured least-privilege policies to cosmetic filters. Publicly available exploit code exists (a single curl invocation reproduces it), and in cluster-admin deployments the flaw is equivalent to full cluster compromise for any client reaching the endpoint.

Kubernetes Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Fission (Kubernetes serverless framework) versions <= 1.22.0 allows any user able to deploy or update a Function CRD to read every Secret and ConfigMap in the runtime namespace, bypassing the Function.spec.secrets allowlist. The flaw stems from runtime pods running under the namespace-privileged fission-fetcher ServiceAccount whose automounted token is reachable by the user-code container alongside the fetcher sidecar. No public exploit identified at time of analysis, but the vendor-issued advisory (GHSA-85g2-pmrx-r49q) describes a trivially reachable abuse path once a function can be deployed.

Kubernetes Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated archive CRUD in Fission's storagesvc (≤ v1.22.0) lets any in-cluster workload list, download, replace, or delete function deployment archives across all tenants by hitting the ClusterIP-exposed /v1/archive and /v1/archives endpoints. Because uploaded archives are later fetched and executed by function specialization, the flaw escalates from a tenant data-exposure issue to in-cluster code execution. No public exploit identified at time of analysis, but the trivial HTTP pattern and lack of auth middleware make weaponization straightforward for any attacker with a foothold pod.

Kubernetes Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in InternLM lmdeploy <= 0.12.3 occurs because trust_remote_code=True is hardcoded across HuggingFace model-loading call sites in lmdeploy/archs.py and lmdeploy/utils.py. An attacker who can influence the model_path passed to an lmdeploy serving process can point it at a malicious HuggingFace repository, causing Transformers to download and execute attacker-controlled Python code with the privileges of the serving daemon. Publicly available exploit code exists in the GHSA advisory, and an upstream fix has been merged via PR #4511 (fixed in 0.13.0).

Kubernetes Code Injection RCE +2
NVD GitHub
EPSS 0% CVSS 8.1
PATCH Monitor

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Kubernetes Apache Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

Kubernetes Information Disclosure Apache Airflow Cncf Kubernetes Provider
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.

Kubernetes XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Information disclosure in Argo CD v3.x exposes plaintext Kubernetes Secret values to authenticated users who can view application diffs via the ServerSideDiff feature. This is an incomplete fix for a prior vulnerability (GHSA-3v3m-wc6v-x4x3): the original patch masked top-level Secret data in ServerSideDiff responses but failed to sanitize Secret content embedded in the `kubectl.kubernetes.io/last-applied-configuration` annotation on `predictedLive` objects, leaving raw `data`, `stringData`, and sensitive annotation values readable in UI and CLI diff output. A publicly available proof-of-concept exists; no KEV listing is present at time of analysis, but the Changed Scope (S:C) in the CVSS vector indicates that exposed secrets may belong to workloads beyond the Argo CD application boundary, amplifying real-world impact in multi-tenant environments.

Information Disclosure Kubernetes
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.

Information Disclosure Kubernetes Python +1
NVD GitHub
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy