Skip to main content

Pinniped

3 CVEs product

Monthly

CVE-2026-59269 LOW Monitor

Privilege escalation in VMware Pinniped's Kubernetes authentication layer allows an attacker who already controls Active Directory group distinguished names to gain elevated Kubernetes RBAC permissions beyond their legitimate entitlements. The flaw affects Pinniped v0.11.0 through v0.46.0 when the Supervisor is configured with an ActiveDirectoryIdentityProvider and a specific empty groupName attribute, and only when an attacker simultaneously holds write access to AD group entries and valid AD user credentials. No public exploit code exists and this is not listed in CISA KEV; the vendor CVSS score of 3.8 (Low) reflects the highly constrained exploitation prerequisites.

Kubernetes Information Disclosure Pinniped
NVD GitHub
CVSS 3.1
3.8
EPSS
0.2%
CVE-2022-31677 Go MEDIUM PATCH This Month

An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Pinniped
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-22975 MEDIUM This Month

An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Kubernetes Code Injection Pinniped
NVD GitHub
CVSS 3.1
6.6
EPSS
0.9%
EPSS 0% CVSS 3.8
LOW Monitor

Privilege escalation in VMware Pinniped's Kubernetes authentication layer allows an attacker who already controls Active Directory group distinguished names to gain elevated Kubernetes RBAC permissions beyond their legitimate entitlements. The flaw affects Pinniped v0.11.0 through v0.46.0 when the Supervisor is configured with an ActiveDirectoryIdentityProvider and a specific empty groupName attribute, and only when an attacker simultaneously holds write access to AD group entries and valid AD user credentials. No public exploit code exists and this is not listed in CISA KEV; the vendor CVSS score of 3.8 (Low) reflects the highly constrained exploitation prerequisites.

Kubernetes Information Disclosure Pinniped
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Pinniped
NVD GitHub
EPSS 1% CVSS 6.6
MEDIUM This Month

An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Kubernetes Code Injection Pinniped
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy