CVE-2026-47190 IPAM controller service account granted unnecessary full access to Secrets

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal...

Important: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.3.2

Red Hat OpenShift Service Mesh 3.3.2 This update has a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. Red Hat OpenShift Service Mesh 3.3....

CVE-2026-39961

CVE-2026-39961 (Aiven Operator) affects Aiven Operator versions 0.31.0–0.36.x. A developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any namespace. The operator reads the victim’s secret using its ClusterRole (aiven-operator-role) and writes ...

EUVD-2024-2861

Malicious code in bioql PyPI...

EUVD-2025-27707

Malicious code in bioql PyPI...

EUVD-2024-2588

Malicious code in bioql PyPI...

CVE-2025-23260

NVIDIA AIStore contains a vulnerability in the AIS Operator where a user may gain elevated k8s cluster access by using the ServiceAccount attached to the ClusterRole. A successful exploit of this vulnerability may lead to information disclosure...

CVE-2025-2843

A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with ClusterRole upon deployment of the Namespace-Scoped Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a...

CVE-2024-45054

Hwameistor is an HA local storage system for cloud-native stateful workloads. This ClusterRole has verbs of resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster,...

CVE-2024-33398

There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the cluster...

CVE-2025-2786

CVE-2025-2786 affects Grafana Tempo Operator. A flaw during TempoStack/TempoMonolithic deployment creates a ServiceAccount, ClusterRole, and ClusterRoleBinding, enabling a user with full access to their namespace to extract the ServiceAccount token and use TokenReview and SubjectAccessReview requ...

CVE-2025-2786

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview...

CVE-2024-45041

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It...

Privilege Escalation

github.com/external-secrets/external-secrets is vulnerable to privilege escalation. The vulnerability is due to improper configuration of the ClusterRole, which grants "get/list" verbs for secrets resources and "path/update" verb for validating webhook configurations. It allows an attacker to abu...

GHSA-QWGC-RR35-H4X9 External Secrets Operator vulnerable to privilege escalation

Details The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets...

External Secrets Operator vulnerable to privilege escalation

Details The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets...

CVE-2024-45041 External Secrets Operator vulnerable to privilege escalation

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It...

CVE-2024-45041 External Secrets Operator vulnerable to privilege escalation

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It...

CVE-2024-45041 External Secrets Operator vulnerable to privilege escalation

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It...

GHSA-MGWR-H7MV-FH29 Hwameistor Potential Permission Leakage of Cluster Level

Impact What kind of vulnerability is it? Who is impacted? This ClusterRole has verbs of resources. If a malicious user can access the worker node which has hwameistor's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a...