140 matches found
PT-2026-37195
Name of the Vulnerable Software and Affected Versions Argo Workflows versions 4.0.0 through 4.0.4 Description The Sync Service's ConfigMap-backed provider in server/sync/sync cm.go lacks authorization checks for all create, read, update, and delete CRUD operations. This allows any authenticated...
SUSE CVE-2026-41068
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability - the...
CVE-2026-41068
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the...
CVE-2026-41068 Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the...
CVE-2026-41068
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the...
CVE-2026-41068
CVE-2026-41068 concerns Kyverno: the ConfigMap context loader does not validate the namespace field, enabling a namespace admin to read ConfigMaps across namespaces using Kyverno’s privileged service account and causing a complete RBAC bypass in multi-tenant clusters. This mirrors the previously ...
Kyverno 安全漏洞
Kyverno is an open-source policy engine designed for Kubernetes by Kyverno developers. There is a security vulnerability in Kyverno, which stems from the fact that the ConfigMap context loader does not validate the configMap.namespace field. This allows namespace administrators to use Kyverno’s...
GHSA-CVQ5-HHX3-F99P Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
Summary CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the configMap.namespace field accepts any namespace with zero validation, allowing a namespace...
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
Summary CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the configMap.namespace field accepts any namespace with zero validation, allowing a namespace...
CVE-2026-32281 vulnerabilities
Vulnerabilities for packages: goreleaser, kubernetes-csi-driver-hostpath, newrelic-infrastructure-agent, configmap-reload, conjur-cli, litefs, mods, docker-cli-buildx, azure-service-operator, argo-workflows, aws-flb-cloudwatch, croc, ipfs-cluster, kapp, rancher, cosign, authservice, task,...
CVE-2026-25679 vulnerabilities
Vulnerabilities for packages: skopeo-fips, amazon-ssm-agent-fips, rke2-cloud-provider-fips, pulumi, karma, kubernetes-ingress-defaultbackend-fips, falcoctl, mongodb-kubernetes-operator-fips, azcopy, crossplane-provider-aws-lambda, kubernetes-csi-external-attacher-fips, victoriametrics, sops-fips,...
podman: Podman kube play command may overwrite host files
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the targ...
podman: Podman kube play command may overwrite host files
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the targ...
SUSE CVE-2025-64432
KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to...
Incorrect Permission Assignment for Critical Resource
Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the virt-api component failing to validate the CN field in client TLS certificates against allowed values in the extension-apiserver-authentication configmap. An attacker can...
Incorrect Permission Assignment for Critical Resource
Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the virt-api component failing to validate the CN field in client TLS certificates against allowed values in the extension-apiserver-authentication configmap. An attacker can...
GHSA-447V-2QG4-H8HC vulnerabilities
Vulnerabilities for packages: kubernetes-csi-driver-hostpath, custom-pod-autoscaler-operator, fq, govulncheck, configmap-reload, dockerize, glow, helm-mapkubeapis, kubernetes-replicator, conjur-cli, litefs, mc, mods, shfmt, spark-operator, pulumi-kubernetes-operator, spqr, mongo-tools,...
GHSA-RJCG-56PH-3QVG vulnerabilities
Vulnerabilities for packages: kubernetes-csi-driver-hostpath, configmap-reload, conjur-cli, litefs, mods, docker-cli-buildx, cert-manager-webhook-pdns, ipfs-cluster, kapp, tfsec, skopeo, task, prometheus-blackbox-exporter, hello-world-golang, nerdctl, wireguard-go, guac,...
GHSA-JWMF-CHVC-RF92 vulnerabilities
Vulnerabilities for packages: kubernetes-csi-driver-hostpath, configmap-reload, conjur-cli, litefs, mods, docker-cli-buildx, cert-manager-webhook-pdns, ipfs-cluster, kapp, tfsec, skopeo, task, prometheus-blackbox-exporter, hello-world-golang, nerdctl, wireguard-go, guac,...
CVE-2025-58186 vulnerabilities
Vulnerabilities for packages: kubernetes-csi-driver-hostpath, configmap-reload, conjur-cli, litefs, mods, docker-cli-buildx, cert-manager-webhook-pdns, ipfs-cluster, kapp, tfsec, skopeo, task, prometheus-blackbox-exporter, hello-world-golang, nerdctl, wireguard-go, guac,...