PT-2026-42688

Summary Before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command... after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace...

PT-2026-42605

Summary Before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command... after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via apiCall. An attacker can gain unauthorized access to sensitive resources and escalate privileges via malicious urlPath values that cause the system to perform Kubernetes API requests outside the...

CVE-2025-66623 Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands th...

CVE-2025-66623

Strimzi (Kafka on Kubernetes/OpenShift) has a vulnerability in versions 0.47.0–0.49.0 where an incorrect Kubernetes Role allows GET access to all Secrets in the target namespace for Kafka Connect and MirrorMaker 2 operands. The issue is fixed in Strimzi 0.49.1. Impact is restricted to unauthorize...

GHSA-MJ6P-P843-X5WC Observability Operator is vulnerable to Incorrect Privilege Assignment through its Custom Resource MonitorStack

A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with ClusterRole upon deployment of the Namespace-Scoped Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a...

CVE-2025-2843 Observability-operator: observability operator privilege escalation

A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with ClusterRole upon deployment of the Namespace-Scoped Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management when handling namespace scopes for BMCEventSubscription. A user with namespace level roles can access and manipulate secrets from unauthorized namespaces by creating a BMCEventSubscription in a namespace th...

GHSA-C98H-7HP9-V9HQ Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD

Impact The Bare Metal Operator BMO implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource BMCEventSubscription BMCES. An adversary Kubernetes account wit...

PT-2024-30561 · Kanister +1 · Kanister +1

Name of the Vulnerable Software and Affected Versions: Kanister affected versions not specified Description: Kanister is a data protection workflow management tool. The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding...

PT-2024-13887 · Laf · Laf

Name of the Vulnerable Software and Affected Versions: Laf versions 1.0.0-beta.13 and prior Description: Laf is a cloud development platform that uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, the interface does not verify...

Rakkess - Kubectl Plugin To Show An Access Matrix For K8S Server Resources

Review Access - kubectl plugin to show an access matrix for server resources Intro Have you ever wondered what access rights you have on a provided kubernetes cluster? For single resources you can use kubectl auth can-i list deployments, but maybe you are looking for a complete overview? This is...