Lucene search
K

10 matches found

Vulnrichment
Vulnrichment
added 2026/05/13 8:4 a.m.10 views

CVE-2026-41050 Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS5.9AI score0.00379EPSS
Exploits0References2
OSV
OSV
added 2026/02/02 9:5 p.m.4 views

GO-2026-4351 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims in github.com/controlplaneio-fluxcd/flux-operator

Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims in github.com/controlplaneio-fluxcd/flux-operator...

5.3CVSS5.3AI score0.00303EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/01/21 10:25 p.m.2 views

CVE-2026-23990

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.6AI score0.00303EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/01/21 10:25 p.m.17 views

CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS0.00303EPSS
Exploits0References4
OSV
OSV
added 2026/01/21 10:25 p.m.5 views

CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.9AI score0.00303EPSS
Exploits0References6
CVE
CVE
added 2026/01/21 10:25 p.m.15 views

CVE-2026-23990

CVE-2026-23990 affects the Flux Operator Web UI in Flux CD/ControlPlane prior to 0.40.0. The issue is a privilege-escalation through an impersonation bypass when OIDC tokens provide empty/invalid claims that CEL expressions can evaluate to empty; then Kubernetes client-go fails to add impersonati...

5.3CVSS5.8AI score0.00303EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/21 10:25 p.m.2 views

CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.8AI score0.00303EPSS
Exploits0References4
EUVD
EUVD
added 2026/01/21 10:23 p.m.6 views

EUVD-2026-4140

Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims...

5.3CVSS5.4AI score0.00303EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/01/21 10:23 p.m.9 views

Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...

5.3CVSS5.9AI score0.00303EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2014/04/01 6:35 a.m.6 views

CVE-2014-2237

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

6.1AI score
Exploits0References4
Rows per page
Query Builder