Kubernetes
Monthly
Service Account token disclosure in Red Hat OpenShift AI odh-dashboard component exposes Kubernetes credentials through unprotected NodeJS endpoint. Low-privilege authenticated attackers can retrieve service account tokens enabling unauthorized access to Kubernetes cluster resources. Affects Red Hat OpenShift AI 2.16 and multiple RHOAI versions. Cross-scope impact allows privilege escalation beyond dashboard component boundaries. No public exploit identified at time of analysis.
Flux notification-controller prior to version 1.8.3 fails to validate the email claim in Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to trigger unauthorized reconciliations via the gcr Receiver webhook endpoint. An attacker must know or discover the webhook URL (generated from a random token stored in a Kubernetes Secret) to exploit this vulnerability; however, practical impact is severely limited because Flux reconciliations are idempotent and deduplicated, meaning unauthorized requests result in no operational changes to cluster state unless the underlying Git/OCI/Helm sources have been modified.
Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Aiven Operator versions 0.31.0 through 0.36.x allow developers with ClickhouseUser CRD creation permissions in their own namespace to exfiltrate secrets from arbitrary namespaces by exploiting a confused deputy vulnerability in the operator's ClusterRole. An attacker can craft a malicious ClickhouseUser resource that causes the operator to read privileged credentials (database passwords, API keys, service tokens) from production namespaces and write them into the attacker's namespace with a single kubectl apply command. The vulnerability is fixed in version 0.37.0.
Signature verification bypass in Helm 4.0.0 through 4.1.3 allows installation of unverified plugins despite enabled provenance checking. When users require plugin signature verification, Helm incorrectly permits installation of plugins lacking provenance (.prov) files, enabling potential supply chain attacks where malicious code executes with Helm's privileges. Affects Kubernetes package manager deployments using plugin verification. No public exploit identified at time of analysis.
Path traversal in Helm 4.0.0 through 4.1.3 allows malicious plugin installation to write arbitrary files to any filesystem location. When users install or update a specially crafted Helm plugin containing directory traversal sequences (/../) in the version field of plugin.yaml, the package manager writes plugin contents outside intended directories. Exploitation requires user interaction to install or update the malicious plugin. No public exploit identified at time of analysis. Impacts Kubernetes environments using Helm for package management, enabling potential system compromise through arbitrary file write.
Container privilege escalation in Red Hat Multicluster Engine for Kubernetes allows authenticated local attackers to escalate from non-root container execution to full root privileges by exploiting group-writable permissions on the /etc/passwd file created during container image build time, enabling arbitrary UID assignment including UID 0.
Unauthenticated network access to Podman Desktop's HTTP server enables remote denial-of-service attacks and information disclosure via verbose error messages. Attackers can exhaust file descriptors and kernel memory without authentication, causing application crashes or complete host freezes, while error responses leak internal paths and Windows usernames. Fixed in version 1.26.2. EPSS data not available; no public exploit identified at time of analysis.
Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.
Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execute arbitrary commands during cloud deployment, enabling supply chain attacks, credential exfiltration, and infrastructure compromise. CVSS 7.8 score reflects local attack vector requiring user interaction, but real-world impact targets cloud CI/CD infrastructure. No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis.
Microsoft Azure Kubernetes Service (AKS) contains an improper authorization vulnerability enabling unauthenticated remote attackers to elevate privileges over a network with critical impact across confidentiality, integrity, and availability. The CVSS 10.0 critical rating reflects network-accessible exploitation requiring no authentication, low complexity, and scope change allowing compromise beyond the vulnerable component. No public exploit identified at time of analysis, though the authentication bypass nature and maximum severity warrant immediate priority.
Unauthenticated remote attackers can trigger complete database overwrites, server-side file reads, and SSRF attacks against Dgraph graph database servers (v24.x, v25.x prior to v25.3.1) via the admin API's restoreTenant mutation. The mutation bypasses all authentication middleware due to missing authorization configuration, allowing attackers to provide arbitrary backup source URLs (including file:// schemes for local filesystem access), S3/MinIO credentials, Vault configuration paths, and encryption key file paths. Live exploitation confirmed in Docker deployments. Vendor-released patch available in v25.3.1 (commit b15c87e9).
Command injection in KubeAI Ollama model controller allows Kubernetes users with Model CRD write permissions to execute arbitrary shell commands inside model server pods. The vulnerability stems from unsanitized URL components (model ref and query parameters) being interpolated into bash startup probe scripts. With CVSS 8.7 (AV:N/AC:L/PR:H/UI:N/S:C), this represents a significant privilege escalation risk in multi-tenant clusters where Model creation is delegated to non-admin users. No public exploit identified at time of analysis, though detailed proof-of-concept payloads are documented in the GitHub advisory.
Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credentials via IMDSv1 (169.254.169.254) or reach internal services like Redis, Elasticsearch, and Kubernetes APIs within cloud VPCs. Public exploit code exists demonstrating localhost and metadata service access. EPSS data not available, not listed in CISA KEV.
A path traversal vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.
Command injection in Flannel's experimental Extension backend allows authenticated Kubernetes users with node annotation privileges to execute arbitrary commands as root on all flannel nodes in the cluster. This affects Flannel versions prior to 0.28.2 using the Extension backend; other backends (vxlan, wireguard) are unaffected. No public exploit identified at time of analysis, but CVSS 7.5 reflects high impact once node annotation access is achieved. EPSS data not available for this recent CVE (2026 designation appears to be error; actual 2025 advisory).
Cilium Network Policy enforcement is bypassed for traffic from pods to L7 Services with local backends on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled, allowing authenticated local attackers to circumvent ingress network policies and access restricted services. This affects Cilium v1.19.0-v1.19.1, v1.18.0-v1.18.7, and all versions prior to v1.17.13, with the most common vulnerable deployment being Amazon EKS with Cilium ENI mode. Vendor-released patches are available (v1.19.2, v1.18.8, v1.17.14), and no public exploit code has been identified at the time of analysis.
LiquidJS versions 10.24.x and earlier contain a memory limit bypass vulnerability that allows unauthenticated attackers to crash Node.js processes through a single malicious template. By exploiting reverse range expressions to drive the memory counter negative, attackers can allocate unlimited memory and trigger a V8 Fatal error that terminates the entire process, causing complete denial of service. A detailed proof-of-concept exploit is publicly available demonstrating the full attack chain from bypass to process crash.
A SSRF vulnerability (CVSS 6.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.
The Kubernetes NFS CSI Driver fails to properly validate the subDir parameter in volume identifiers, allowing privileged users to inject path traversal sequences that bypass intended directory restrictions. Attackers with PersistentVolume creation privileges can craft malicious volume identifiers to access and modify arbitrary directories on the NFS server during cleanup operations. No patch is currently available for this medium-severity vulnerability affecting Kubernetes environments.
This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.
An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.
Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.
A denial of service vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
The kube-router proxy module fails to validate Service externalIPs and LoadBalancer IPs against configured IP ranges, allowing namespace-scoped users to bind arbitrary VIPs on all cluster nodes and hijack traffic to critical services like kube-dns. This affects all kube-router v2.x versions including v2.7.1, primarily impacting multi-tenant clusters where untrusted users have Service creation permissions. A detailed proof-of-concept demonstrates single-command cluster DNS takedown and arbitrary VIP binding with traffic redirection to attacker-controlled pods, though EPSS scoring is not available for this recently disclosed vulnerability.
CVE-2026-32769 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
CVE-2026-32768 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A misconfigured NetworkPolicy in Kubernetes deployments allows attackers to perform unauthorized lateral movement between namespaces, breaking namespace isolation security boundaries. This vulnerability affects Kubernetes environments with improperly configured inter-namespace NetworkPolicies, specifically those with 'inter-ns' prefixed policies in monitoring namespaces. An attacker who compromises any component can pivot to access resources in other namespaces, potentially accessing sensitive data or systems they shouldn't have access to.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
Silent event loss in Inspektor Gadget prior to 0.50.1 allows local attackers to cause denial of service by filling the 256KB ring-buffer, which triggers undetected data drops without alerting users or administrators. When the buffer becomes full, gadgets silently discard events and fail to report the loss count, potentially hiding critical system events from Kubernetes cluster and Linux host monitoring. A local attacker with limited privileges can exploit this to obscure malicious activity or system anomalies by saturating the instrumentation buffer.
Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
Kubernetes flagd feature flag daemon versions before 0.14.2 are vulnerable to denial of service through unbounded memory allocation on publicly accessible evaluation endpoints. An unauthenticated attacker can send HTTP requests with arbitrarily large payloads to exhaust memory and crash the service. This affects deployments without external authentication controls, allowing trivial process termination in containerized environments.
Argo Workflows versions 2.9.0 through 4.0.1 (and 3.x before 3.7.11) allow authenticated users to bypass WorkflowTemplate security policies by injecting a podSpecPatch field in workflow submissions, circumventing even strict template referencing controls. An attacker with workflow submission privileges can exploit this to modify pod specifications without security validation, potentially gaining unauthorized access or executing arbitrary code. This vulnerability affects organizations using Kubernetes with Argo Workflows and requires upgrading to versions 4.0.2, 3.7.11 or later to remediate.
Auth bypass in Argo Workflows before 4.0.2/3.7.11.
Kubewarden's deprecated host-callback APIs in AdmissionPolicy can be exploited by authenticated users with policy creation permissions to gain unauthorized read access to cluster-level resources including Ingresses, Namespaces, and Services. An attacker with privileged AdmissionPolicy creation permissions—not a default privilege—could craft malicious policies to bypass intended access controls and enumerate sensitive cluster infrastructure, though this vulnerability is limited to read-only access without write capability or access to Secrets and ConfigMaps. The vulnerability affects Kubernetes deployments using Kubewarden and currently has no available patch.
Arbitrary code execution in ingress-nginx controllers via malicious rewrite-target annotations allows authenticated attackers to execute commands and exfiltrate cluster secrets. Kubernetes administrators using ingress-nginx are at risk, particularly in default configurations where the controller has cluster-wide secret access. No patch is currently available.
Zarf is an Airgap Native Packager Manager for Kubernetes. [CVSS 8.2 HIGH]
LangSmith Studio contains a URL parameter injection vulnerability that allows attackers to steal authentication tokens, user IDs, and workspace credentials from users who click malicious links, enabling account takeover and unauthorized access to workspace resources. Both LangSmith Cloud and self-hosted Kubernetes deployments are affected, with exploitation requiring social engineering to trick authenticated users into clicking attacker-controlled URLs. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Path traversal in Kaniko 1.25.4 through 1.25.9 allows attackers to extract tar archives outside the intended destination directory, enabling arbitrary file writes on the build system. When combined with Docker credential helpers in registry authentication scenarios, this vulnerability can be leveraged for code execution within the Kaniko executor process. Docker and Kubernetes environments using the affected Kaniko versions are at risk.
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
Strimzi Kafka Operator versions 0.49.0-0.50.0 incorrectly trusts all intermediate CAs in a multistage certificate chain for mTLS authentication, allowing any user with a certificate signed by any CA in the chain to authenticate to Kafka listeners. This authentication bypass affects only deployments using custom Cluster or Clients CA with multi-level CA chains. No patch is currently available.
Strimzi versions 0.47.0 through 0.50.0 improperly trust all certificates in a CA chain rather than only the intended signing authority, allowing Kafka Connect and MirrorMaker 2 operands to accept connections from brokers with certificates signed by intermediate CAs. An attacker could leverage this improper certificate validation to establish unauthorized connections to Kafka clusters using alternate CA-signed certificates from the trusted chain. This vulnerability requires high privileges to configure the CA chain and has no available patch at this time.
Authorization bypass in Kargo Kubernetes promotion tool from 1.7.0 before 1.7.8/1.8.11/1.9.3. Batch resource creation bypasses authorization checks. Patch available.
Kargo versions 1.9.0 through 1.9.2 fail to enforce the custom "promote" authorization verb in three REST API endpoints, allowing authenticated users with standard Kubernetes RBAC permissions to trigger promotions without the intended fine-grained access controls. An attacker with patch permissions on freight status or create permissions on promotions can bypass promotion pipeline restrictions and advance software artifacts unauthorized. A patch is available to restore the missing authorization checks.
Arbitrary code execution in Yoke's Air Traffic Controller component allows authenticated users with CustomResource create/update permissions to execute malicious WebAssembly modules by injecting crafted URLs into the overrides.yoke.cd/flight annotation, potentially enabling cluster-admin privilege escalation. The vulnerability affects Yoke 0.19.0 and earlier, with no patch currently available and an 8.8 CVSS severity rating.
Unauthenticated webhook endpoints in Yoke's Air Traffic Controller component allow any pod within a Kubernetes cluster to submit AdmissionReview requests and execute WASM modules in the controller's context without authorization. This affects Yoke versions 0.19.0 and earlier, enabling attackers with cluster access to bypass API Server authentication and potentially compromise the infrastructure-as-code deployment pipeline. No patch is currently available.
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter injection. PoC and patch available.
Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution.
Antrea Kubernetes networking has an authentication bypass enabling unauthorized access to the Kubernetes network policy infrastructure.
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. [CVSS 8.8 HIGH]
Devtron is an open source tool integration platform for Kubernetes. [CVSS 8.8 HIGH]
Denial-of-service in cert-manager versions 1.18.0-1.18.4 and 1.19.0-1.19.2 allows network-adjacent attackers to crash the controller by poisoning DNS cache entries during ACME DNS-01 validation through unencrypted DNS traffic interception. An attacker positioned to intercept DNS queries from the cert-manager pod can inject malicious DNS responses that trigger a panic in the controller, disrupting certificate management operations in affected Kubernetes clusters. A patch is available for immediate deployment.
Arbitrary code execution in ingress-nginx controllers via malicious `nginx.ingress.kubernetes.io/auth-method` Ingress annotations allows authenticated attackers to execute commands within the controller context and access cluster-wide Secrets. This vulnerability affects Nginx and Kubernetes deployments where the ingress controller has default cluster-wide Secret access permissions. No patch is currently available.
Inspektor Gadget versions prior to 0.48.1 allow local attackers with limited privileges to execute arbitrary commands during custom gadget image builds due to insufficient input sanitization in Makefile generation. An attacker who can control buildOptions parameters can inject shell commands that execute with the privileges of the build process. Public exploit code exists for this vulnerability.
Authorization bypass in vCluster Platform Kubernetes virtual cluster management before 4.6.0/4.5.4/4.4.4. Users can access resources outside their authorized virtual cluster scope.
Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.
Kargo's GetConfig() API endpoint fails to validate Bearer token authenticity, allowing unauthenticated attackers to retrieve sensitive configuration data including Argo CD cluster endpoints and namespaces that could facilitate further attacks. The same authentication bypass affects the RefreshResource endpoint, which can be leveraged for denial-of-service attacks. Versions 1.6.3, 1.7.7, and 1.8.7 and later include patches for this vulnerability.
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass and unauthorized cluster operations.
Skipper versions up to 0.24.0 contains a vulnerability that allows attackers to list targets of an ExternalName and allow list via regular expressions (CVSS 8.1).
Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
External Secrets Operator versions 0.20.2 through 1.1.x contain an authorization bypass in the getSecretKey template function that allows authenticated users to retrieve secrets across namespace boundaries, circumventing intended access controls. An attacker with local Kubernetes access could exploit this to exfiltrate sensitive data managed by the operator outside their authorized namespace. The vulnerability has been patched in version 1.2.0 where the function was completely removed.
Skipper versions before 0.23.0 allow authenticated users with Ingress resource creation privileges to execute arbitrary Lua scripts that read sensitive filesystem data and secrets accessible to the Skipper process. The vulnerability stems from the default -lua-sources=inline configuration enabling untrusted users to create inline Lua filters. Public exploit code exists for this high-severity vulnerability affecting Kubernetes environments running vulnerable Skipper versions.
Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. [CVSS 7.7 HIGH]
Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attackers to extract proxy credentials and subsequently access the control plane and all associated secrets including TLS private keys. Public exploit code exists for this vulnerability. Affected organizations running vulnerable Envoy Gateway instances should immediately upgrade as no patch is currently available for intermediate versions.
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1.
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Typebot is an open-source chatbot builder. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod.
The Datadog Agent collects events and metrics from hosts and sends them to Datadog. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in the Observability Operator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Service Account token disclosure in Red Hat OpenShift AI odh-dashboard component exposes Kubernetes credentials through unprotected NodeJS endpoint. Low-privilege authenticated attackers can retrieve service account tokens enabling unauthorized access to Kubernetes cluster resources. Affects Red Hat OpenShift AI 2.16 and multiple RHOAI versions. Cross-scope impact allows privilege escalation beyond dashboard component boundaries. No public exploit identified at time of analysis.
Flux notification-controller prior to version 1.8.3 fails to validate the email claim in Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to trigger unauthorized reconciliations via the gcr Receiver webhook endpoint. An attacker must know or discover the webhook URL (generated from a random token stored in a Kubernetes Secret) to exploit this vulnerability; however, practical impact is severely limited because Flux reconciliations are idempotent and deduplicated, meaning unauthorized requests result in no operational changes to cluster state unless the underlying Git/OCI/Helm sources have been modified.
Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Aiven Operator versions 0.31.0 through 0.36.x allow developers with ClickhouseUser CRD creation permissions in their own namespace to exfiltrate secrets from arbitrary namespaces by exploiting a confused deputy vulnerability in the operator's ClusterRole. An attacker can craft a malicious ClickhouseUser resource that causes the operator to read privileged credentials (database passwords, API keys, service tokens) from production namespaces and write them into the attacker's namespace with a single kubectl apply command. The vulnerability is fixed in version 0.37.0.
Signature verification bypass in Helm 4.0.0 through 4.1.3 allows installation of unverified plugins despite enabled provenance checking. When users require plugin signature verification, Helm incorrectly permits installation of plugins lacking provenance (.prov) files, enabling potential supply chain attacks where malicious code executes with Helm's privileges. Affects Kubernetes package manager deployments using plugin verification. No public exploit identified at time of analysis.
Path traversal in Helm 4.0.0 through 4.1.3 allows malicious plugin installation to write arbitrary files to any filesystem location. When users install or update a specially crafted Helm plugin containing directory traversal sequences (/../) in the version field of plugin.yaml, the package manager writes plugin contents outside intended directories. Exploitation requires user interaction to install or update the malicious plugin. No public exploit identified at time of analysis. Impacts Kubernetes environments using Helm for package management, enabling potential system compromise through arbitrary file write.
Container privilege escalation in Red Hat Multicluster Engine for Kubernetes allows authenticated local attackers to escalate from non-root container execution to full root privileges by exploiting group-writable permissions on the /etc/passwd file created during container image build time, enabling arbitrary UID assignment including UID 0.
Unauthenticated network access to Podman Desktop's HTTP server enables remote denial-of-service attacks and information disclosure via verbose error messages. Attackers can exhaust file descriptors and kernel memory without authentication, causing application crashes or complete host freezes, while error responses leak internal paths and Windows usernames. Fixed in version 1.26.2. EPSS data not available; no public exploit identified at time of analysis.
Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.
Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execute arbitrary commands during cloud deployment, enabling supply chain attacks, credential exfiltration, and infrastructure compromise. CVSS 7.8 score reflects local attack vector requiring user interaction, but real-world impact targets cloud CI/CD infrastructure. No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis.
Microsoft Azure Kubernetes Service (AKS) contains an improper authorization vulnerability enabling unauthenticated remote attackers to elevate privileges over a network with critical impact across confidentiality, integrity, and availability. The CVSS 10.0 critical rating reflects network-accessible exploitation requiring no authentication, low complexity, and scope change allowing compromise beyond the vulnerable component. No public exploit identified at time of analysis, though the authentication bypass nature and maximum severity warrant immediate priority.
Unauthenticated remote attackers can trigger complete database overwrites, server-side file reads, and SSRF attacks against Dgraph graph database servers (v24.x, v25.x prior to v25.3.1) via the admin API's restoreTenant mutation. The mutation bypasses all authentication middleware due to missing authorization configuration, allowing attackers to provide arbitrary backup source URLs (including file:// schemes for local filesystem access), S3/MinIO credentials, Vault configuration paths, and encryption key file paths. Live exploitation confirmed in Docker deployments. Vendor-released patch available in v25.3.1 (commit b15c87e9).
Command injection in KubeAI Ollama model controller allows Kubernetes users with Model CRD write permissions to execute arbitrary shell commands inside model server pods. The vulnerability stems from unsanitized URL components (model ref and query parameters) being interpolated into bash startup probe scripts. With CVSS 8.7 (AV:N/AC:L/PR:H/UI:N/S:C), this represents a significant privilege escalation risk in multi-tenant clusters where Model creation is delegated to non-admin users. No public exploit identified at time of analysis, though detailed proof-of-concept payloads are documented in the GitHub advisory.
Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credentials via IMDSv1 (169.254.169.254) or reach internal services like Redis, Elasticsearch, and Kubernetes APIs within cloud VPCs. Public exploit code exists demonstrating localhost and metadata service access. EPSS data not available, not listed in CISA KEV.
A path traversal vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.
Command injection in Flannel's experimental Extension backend allows authenticated Kubernetes users with node annotation privileges to execute arbitrary commands as root on all flannel nodes in the cluster. This affects Flannel versions prior to 0.28.2 using the Extension backend; other backends (vxlan, wireguard) are unaffected. No public exploit identified at time of analysis, but CVSS 7.5 reflects high impact once node annotation access is achieved. EPSS data not available for this recent CVE (2026 designation appears to be error; actual 2025 advisory).
Cilium Network Policy enforcement is bypassed for traffic from pods to L7 Services with local backends on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled, allowing authenticated local attackers to circumvent ingress network policies and access restricted services. This affects Cilium v1.19.0-v1.19.1, v1.18.0-v1.18.7, and all versions prior to v1.17.13, with the most common vulnerable deployment being Amazon EKS with Cilium ENI mode. Vendor-released patches are available (v1.19.2, v1.18.8, v1.17.14), and no public exploit code has been identified at the time of analysis.
LiquidJS versions 10.24.x and earlier contain a memory limit bypass vulnerability that allows unauthenticated attackers to crash Node.js processes through a single malicious template. By exploiting reverse range expressions to drive the memory counter negative, attackers can allocate unlimited memory and trigger a V8 Fatal error that terminates the entire process, causing complete denial of service. A detailed proof-of-concept exploit is publicly available demonstrating the full attack chain from bypass to process crash.
A SSRF vulnerability (CVSS 6.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.
The Kubernetes NFS CSI Driver fails to properly validate the subDir parameter in volume identifiers, allowing privileged users to inject path traversal sequences that bypass intended directory restrictions. Attackers with PersistentVolume creation privileges can craft malicious volume identifiers to access and modify arbitrary directories on the NFS server during cleanup operations. No patch is currently available for this medium-severity vulnerability affecting Kubernetes environments.
This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.
An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.
Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.
A denial of service vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
The kube-router proxy module fails to validate Service externalIPs and LoadBalancer IPs against configured IP ranges, allowing namespace-scoped users to bind arbitrary VIPs on all cluster nodes and hijack traffic to critical services like kube-dns. This affects all kube-router v2.x versions including v2.7.1, primarily impacting multi-tenant clusters where untrusted users have Service creation permissions. A detailed proof-of-concept demonstrates single-command cluster DNS takedown and arbitrary VIP binding with traffic redirection to attacker-controlled pods, though EPSS scoring is not available for this recently disclosed vulnerability.
CVE-2026-32769 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
CVE-2026-32768 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A misconfigured NetworkPolicy in Kubernetes deployments allows attackers to perform unauthorized lateral movement between namespaces, breaking namespace isolation security boundaries. This vulnerability affects Kubernetes environments with improperly configured inter-namespace NetworkPolicies, specifically those with 'inter-ns' prefixed policies in monitoring namespaces. An attacker who compromises any component can pivot to access resources in other namespaces, potentially accessing sensitive data or systems they shouldn't have access to.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
Silent event loss in Inspektor Gadget prior to 0.50.1 allows local attackers to cause denial of service by filling the 256KB ring-buffer, which triggers undetected data drops without alerting users or administrators. When the buffer becomes full, gadgets silently discard events and fail to report the loss count, potentially hiding critical system events from Kubernetes cluster and Linux host monitoring. A local attacker with limited privileges can exploit this to obscure malicious activity or system anomalies by saturating the instrumentation buffer.
Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
Kubernetes flagd feature flag daemon versions before 0.14.2 are vulnerable to denial of service through unbounded memory allocation on publicly accessible evaluation endpoints. An unauthenticated attacker can send HTTP requests with arbitrarily large payloads to exhaust memory and crash the service. This affects deployments without external authentication controls, allowing trivial process termination in containerized environments.
Argo Workflows versions 2.9.0 through 4.0.1 (and 3.x before 3.7.11) allow authenticated users to bypass WorkflowTemplate security policies by injecting a podSpecPatch field in workflow submissions, circumventing even strict template referencing controls. An attacker with workflow submission privileges can exploit this to modify pod specifications without security validation, potentially gaining unauthorized access or executing arbitrary code. This vulnerability affects organizations using Kubernetes with Argo Workflows and requires upgrading to versions 4.0.2, 3.7.11 or later to remediate.
Auth bypass in Argo Workflows before 4.0.2/3.7.11.
Kubewarden's deprecated host-callback APIs in AdmissionPolicy can be exploited by authenticated users with policy creation permissions to gain unauthorized read access to cluster-level resources including Ingresses, Namespaces, and Services. An attacker with privileged AdmissionPolicy creation permissions—not a default privilege—could craft malicious policies to bypass intended access controls and enumerate sensitive cluster infrastructure, though this vulnerability is limited to read-only access without write capability or access to Secrets and ConfigMaps. The vulnerability affects Kubernetes deployments using Kubewarden and currently has no available patch.
Arbitrary code execution in ingress-nginx controllers via malicious rewrite-target annotations allows authenticated attackers to execute commands and exfiltrate cluster secrets. Kubernetes administrators using ingress-nginx are at risk, particularly in default configurations where the controller has cluster-wide secret access. No patch is currently available.
Zarf is an Airgap Native Packager Manager for Kubernetes. [CVSS 8.2 HIGH]
LangSmith Studio contains a URL parameter injection vulnerability that allows attackers to steal authentication tokens, user IDs, and workspace credentials from users who click malicious links, enabling account takeover and unauthorized access to workspace resources. Both LangSmith Cloud and self-hosted Kubernetes deployments are affected, with exploitation requiring social engineering to trick authenticated users into clicking attacker-controlled URLs. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Path traversal in Kaniko 1.25.4 through 1.25.9 allows attackers to extract tar archives outside the intended destination directory, enabling arbitrary file writes on the build system. When combined with Docker credential helpers in registry authentication scenarios, this vulnerability can be leveraged for code execution within the Kaniko executor process. Docker and Kubernetes environments using the affected Kaniko versions are at risk.
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
Strimzi Kafka Operator versions 0.49.0-0.50.0 incorrectly trusts all intermediate CAs in a multistage certificate chain for mTLS authentication, allowing any user with a certificate signed by any CA in the chain to authenticate to Kafka listeners. This authentication bypass affects only deployments using custom Cluster or Clients CA with multi-level CA chains. No patch is currently available.
Strimzi versions 0.47.0 through 0.50.0 improperly trust all certificates in a CA chain rather than only the intended signing authority, allowing Kafka Connect and MirrorMaker 2 operands to accept connections from brokers with certificates signed by intermediate CAs. An attacker could leverage this improper certificate validation to establish unauthorized connections to Kafka clusters using alternate CA-signed certificates from the trusted chain. This vulnerability requires high privileges to configure the CA chain and has no available patch at this time.
Authorization bypass in Kargo Kubernetes promotion tool from 1.7.0 before 1.7.8/1.8.11/1.9.3. Batch resource creation bypasses authorization checks. Patch available.
Kargo versions 1.9.0 through 1.9.2 fail to enforce the custom "promote" authorization verb in three REST API endpoints, allowing authenticated users with standard Kubernetes RBAC permissions to trigger promotions without the intended fine-grained access controls. An attacker with patch permissions on freight status or create permissions on promotions can bypass promotion pipeline restrictions and advance software artifacts unauthorized. A patch is available to restore the missing authorization checks.
Arbitrary code execution in Yoke's Air Traffic Controller component allows authenticated users with CustomResource create/update permissions to execute malicious WebAssembly modules by injecting crafted URLs into the overrides.yoke.cd/flight annotation, potentially enabling cluster-admin privilege escalation. The vulnerability affects Yoke 0.19.0 and earlier, with no patch currently available and an 8.8 CVSS severity rating.
Unauthenticated webhook endpoints in Yoke's Air Traffic Controller component allow any pod within a Kubernetes cluster to submit AdmissionReview requests and execute WASM modules in the controller's context without authorization. This affects Yoke versions 0.19.0 and earlier, enabling attackers with cluster access to bypass API Server authentication and potentially compromise the infrastructure-as-code deployment pipeline. No patch is currently available.
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter injection. PoC and patch available.
Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution.
Antrea Kubernetes networking has an authentication bypass enabling unauthorized access to the Kubernetes network policy infrastructure.
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. [CVSS 8.8 HIGH]
Devtron is an open source tool integration platform for Kubernetes. [CVSS 8.8 HIGH]
Denial-of-service in cert-manager versions 1.18.0-1.18.4 and 1.19.0-1.19.2 allows network-adjacent attackers to crash the controller by poisoning DNS cache entries during ACME DNS-01 validation through unencrypted DNS traffic interception. An attacker positioned to intercept DNS queries from the cert-manager pod can inject malicious DNS responses that trigger a panic in the controller, disrupting certificate management operations in affected Kubernetes clusters. A patch is available for immediate deployment.
Arbitrary code execution in ingress-nginx controllers via malicious `nginx.ingress.kubernetes.io/auth-method` Ingress annotations allows authenticated attackers to execute commands within the controller context and access cluster-wide Secrets. This vulnerability affects Nginx and Kubernetes deployments where the ingress controller has default cluster-wide Secret access permissions. No patch is currently available.
Inspektor Gadget versions prior to 0.48.1 allow local attackers with limited privileges to execute arbitrary commands during custom gadget image builds due to insufficient input sanitization in Makefile generation. An attacker who can control buildOptions parameters can inject shell commands that execute with the privileges of the build process. Public exploit code exists for this vulnerability.
Authorization bypass in vCluster Platform Kubernetes virtual cluster management before 4.6.0/4.5.4/4.4.4. Users can access resources outside their authorized virtual cluster scope.
Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.
Kargo's GetConfig() API endpoint fails to validate Bearer token authenticity, allowing unauthenticated attackers to retrieve sensitive configuration data including Argo CD cluster endpoints and namespaces that could facilitate further attacks. The same authentication bypass affects the RefreshResource endpoint, which can be leveraged for denial-of-service attacks. Versions 1.6.3, 1.7.7, and 1.8.7 and later include patches for this vulnerability.
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass and unauthorized cluster operations.
Skipper versions up to 0.24.0 contains a vulnerability that allows attackers to list targets of an ExternalName and allow list via regular expressions (CVSS 8.1).
Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
External Secrets Operator versions 0.20.2 through 1.1.x contain an authorization bypass in the getSecretKey template function that allows authenticated users to retrieve secrets across namespace boundaries, circumventing intended access controls. An attacker with local Kubernetes access could exploit this to exfiltrate sensitive data managed by the operator outside their authorized namespace. The vulnerability has been patched in version 1.2.0 where the function was completely removed.
Skipper versions before 0.23.0 allow authenticated users with Ingress resource creation privileges to execute arbitrary Lua scripts that read sensitive filesystem data and secrets accessible to the Skipper process. The vulnerability stems from the default -lua-sources=inline configuration enabling untrusted users to create inline Lua filters. Public exploit code exists for this high-severity vulnerability affecting Kubernetes environments running vulnerable Skipper versions.
Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. [CVSS 7.7 HIGH]
Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attackers to extract proxy credentials and subsequently access the control plane and all associated secrets including TLS private keys. Public exploit code exists for this vulnerability. Affected organizations running vulnerable Envoy Gateway instances should immediately upgrade as no patch is currently available for intermediate versions.
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1.
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Typebot is an open-source chatbot builder. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod.
The Datadog Agent collects events and metrics from hosts and sends them to Datadog. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in the Observability Operator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.