CVE-2026-39961

EPSS 0.39%
Veröffentlicht 09.04.2026 18:17:02
Zuletzt bearbeitet 13.05.2026 16:06:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource

Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database credentials, API keys, service tokens — with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace. The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary — the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists. This vulnerability is fixed in 0.37.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Aiven ≫ Aiven Operator Version >= 0.31.0 < 0.37.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.31

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6.8	2.3	4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182

Patch

https://github.com/aiven/aiven-operator/releases/tag/v0.37.0

Product

Release Notes

https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-39961

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39961

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39961

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39961