158 matches found
CVE-2026-15738
Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource. To mitigate this...
PT-2026-58726
Name of the Vulnerable Software and Affected Versions Amazon AWS Load Balancer Controller versions prior to 3.4.2 Description An issue exists in the Gateway API listener-rule generation where rules are ordered by route type rather than specificity when an HTTPRoute and GRPCRoute share an ALB...
CVE-2026-62147
The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces. Mitigation There is no mitigation or workarou...
CVE-2026-44935
The vulnerability (CVE-2026-44935) affects SUSE Rancher Fleet’s Helm Deployer where missing validation of valuesFrom references enables cross-tenant access to fleet credentials stored in secrets/config maps on downstream clusters. Affected versions include Fleet 0.15.x before 0.15.2, 0.14.x befor...
GHSA-GC3J-79F2-7VVW Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
Summary A low-privilege developer who could create a KubernetesWatchTrigger KWT in their own namespace was able to establish a persistent surveillance channel over any other namespace. Details Two independent flaws compounded: 1. pkg/kubewatcher/kubewatcher.go::createKubernetesWatch used...
CVE-2026-53077
In the Linux kernel, the following vulnerability has been resolved: net/rds: Restrict use of RDS/IB to the initial network namespace Prevent using RDS/IB in network namespaces other than the initial one. The existing RDS/IB code will not work properly in non-initial network namespaces...
VulnCheck KEV: CVE-2022-0492
A vulnerability was found in the Linux kernel’s cgroupreleaseagentwrite in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 releaseagent feature to escalate privileges and bypass the namespace isolation unexpectedly...
PT-2026-47580
Summary CAPM3 is Metal3's Cluster API CAPI provider for baremetal provisioning in Kubernetes. Multiple cross-namespace access control vulnerabilities in Cluster API Provider Metal3 allow users with permissions to create or modify CAPM3 resources in one namespace to reference, read, or claim...
GHSA-3G33-6VG6-27M8 Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
Summary The Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers svc/router, port 8888, so...
PT-2026-42589
Summary The Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers svc/router, port 8888, so...
Astra Linux – Vulnerability in Linux, Linux 5.10
A vulnerability was discovered in the cgroupreleaseagentwrite function of the Linux kernel, within the kernel/cgroup/cgroup-v1.c file. Under certain circumstances, this flaw allows the use of the cgroups v1 releaseagent feature to escalate privileges and bypass namespace isolation unexpectedly...
CVE-2026-44424
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace tenant. Any authenticated user JWT or API Key who knows or can guess a device UID...
CVE-2026-42875 External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace w...
CVE-2026-42875
External Secrets Operator contains a namespace isolation bypass in CAProvider ConfigMap resolution for SecretStore. Before v2.4.0, Namespaced SecretStore resources using CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set, bypassing th...
CVE-2026-42875 External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace w...
CVE-2026-43403
In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use mayseeallnamespaces...
External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore
Impact Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was set. This bypassed the namespace boundary enforced for SecretStore-backed references in providers that rely on the shared runtime CA...
SUSE CVE-2026-41174
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects...
Traefik < 2.11.43 / 3.x < 3.6.14 Multiple Vulnerabilities
The version of Traefik installed on the remote macOS host is prior to 2.11.43 or 3.x prior to 3.6.14. It is, therefore, affected by multiple vulnerabilities: - An authentication bypass via StripPrefixRegex and ForwardAuth dot-segment normalization. When StripPrefixRegex processes URLs with...
CVE-2026-41174
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects...