Kubewarden: RBAC Reconnaissance via unchecked can_i host capability call

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enumerate RBAC permissions of any user or service account across the cluster. can_i does not perform that check to enforce the context-aware allow-list and forwards the request directly to the callback handler, which executes a real SubjectAccessReview using policy-server privileges. This creates a policy-level authorization gap: can_i is effectively usable even when the policy has no context-aware resource grant. This is an information disclosure / reconnaissance issue, and not direct workload data exfiltration. The attacker learns permission information, such as whether specific service accounts can "get secrets", "create pods", or "bind clusterroles" in chosen namespaces. This vulnerability is fixed in .

Basic Information

ID CVE-2026-42541

Source GitHub_M

Published May 12, 2026 at 17:57

Affected Product

Vendor kubewarden

Product kubewarden-controller

Version < 1.35.0

Affected Versions kubewarden kubewarden-controller < 1.35.0

CWE Classification

CWE-862

References

github.com /kubewarden/adm-controller/security/advisories/GHSA-wqcw-g35j-j578

{
    "lastseen": "",
    "description": "Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enumerate RBAC permissions of any user or service account across the cluster. can_i does not perform that check to enforce the context-aware allow-list and forwards the request directly to the callback handler, which executes a real SubjectAccessReview using policy-server privileges. This creates a policy-level authorization gap: can_i is effectively usable even when the policy has no context-aware resource grant. This is an information disclosure / reconnaissance issue, and not direct workload data exfiltration. The attacker learns permission information, such as whether specific service accounts can \"get secrets\", \"create pods\", or \"bind clusterroles\" in chosen namespaces. This vulnerability is fixed in .",
    "published": "2026-05-12T17:57:54.665Z",
    "modified": "2026-05-12T17:57:54.665Z",
    "type": "cve",
    "title": "Kubewarden: RBAC Reconnaissance via unchecked can_i host capability call",
    "source": "GitHub_M",
    "references": "https://github.com/kubewarden/adm-controller/security/advisories/GHSA-wqcw-g35j-j578",
    "id": "CVE-2026-42541",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "kubewarden kubewarden-controller < 1.35.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "kubewarden-controller",
    "version": "< 1.35.0",
    "vendor": "kubewarden",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Kubewarden: RBAC Reconnaissance via unchecked can_i host capability call_CVE-2026-42541