75 matches found
CVE-2026-55225
When the Strimzi cluster operator is deployed with watchAnyNamespace=true or a multi-namespace list, any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace or topicOperator.watchedNamespace to an arbitrary namespace. The cluster operator then creates a Role granting...
CVE-2026-47190 IPAM controller service account granted unnecessary full access to Secrets
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal...
EUVD-2026-36463
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal...
CVE-2026-47190 IPAM controller service account granted unnecessary full access to Secrets
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal...
CVE-2026-47190
The CVE concerns IPAM (Metal3) where the IPAM controller’s ClusterRole granted full CRUD access to core/v1 Secrets prior to versions 1.11.7, 1.12.4, and 1.13.0. Although the controller does not access Secrets during normal operation, a compromised IPAM pod (e.g., via supply‑chain attack or contai...
EUVD-2026-36092
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted...
GHSA-64CJ-QVX5-M4F3 Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets
Summary The hidden nhost configserver used by nhost dev exposes the Mimir GraphQL API with dummy authorization directives and permissive CORS. When a developer is running the local development environment, any process that can reach the developer's localhost service, including a web page loaded...
GHSA-49PM-43HF-6XFQ IPAM controller service account granted unnecessary full access to Secrets
Impact IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were...
IPAM controller service account granted unnecessary full access to Secrets
Impact IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were...
PT-2026-45027
Name of the Vulnerable Software and Affected Versions IPAM versions prior to 1.11.7 IPAM versions prior to 1.12.4 IPAM versions prior to 1.13.0 Description The IPAM controller's ClusterRole grants excessive CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets, despi...
Malicious code in lynx-keeper-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9cebbf0e6cc5a35eea6e6869d295d072526b6ff7d566c49bc80f15952138cf88 lynx-keeper-cli ships a heavily obfuscated payload in dist/index.js that runs at require time. After a CI-evasion gate that aborts when...
GHSA-85G2-PMRX-R49Q Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read
Summary Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps it needs that to load function code, env vars, and config. The runtime pod's automounted token was reachable from...
PT-2026-42606
Summary Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps it needs that to load function code, env vars, and config. The runtime pod's automounted token was reachable from...
PT-2026-42687
Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0 Description Runtime pods were configured with the fission-fetcher ServiceAccount, which possesses namespace-wide get permissions for secrets and configmaps. Because the service account token was automounted and...
CVE-2026-6389 IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability
IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials,...
EUVD-2026-26446
IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials,...
Security Bulletin: IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability (CVE-2026-6389)
Summary IBM Turbonomic Prometurbo is an agent used by IBM Turbonomic Application Resource Management to integrate with Prometheus to collect application metrics and send them to Turbonomic for analysis and generation of optimization plans. A security vulnerability has been addressed in the IBM...
CVE-2026-40525
OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the apikey configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke...
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes
OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the apikey configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke...
PT-2026-33478
Name of the Vulnerable Software and Affected Versions OpenViking versions prior to commit c7bb167 Description An authentication bypass exists in the VikingBot OpenAPI HTTP route surface. The issue occurs when the api key configuration value is unset or empty, causing the authentication check to...