A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. An attacker with access to create VMs could attach any secret within their namespace, allowing them to read the contents of that secret.
[
{
"product": "virt-handler",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "kubevirt 0.26.0"
}
]
}
]