GHSA-M23H-6MWM-39M8

Vulnerability from github – Published: 2026-05-19 19:30 – Updated: 2026-05-19 19:30
VLAI
Summary
Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation
Details

Summary

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In "managed" mode (where the GatewayClass lacks an unmanaged annotation), the Gateway TLS translator skips critical status checks. This bypass allows the translator to fetch Secrets from any namespace KIC watches, even when a ReferenceGrant explicitly denies access or is missing.

An actor with RBAC permissions to create or modify Gateways in a low-privileged namespace can reference a Secret in a high-privileged namespace, causing KIC to "leak" that Secret's sensitive private key material into the Kong dataplane configuration.

Am I affected?

You are affected if all of these hold: 1. You are using Kong Ingress Controller with the Gateway API. 2. Your GatewayClass is operating in managed mode (default behavior, no unmanaged annotation). 3. KIC is configured to watch multiple namespaces (multi-tenant environment). 4. Users have RBAC permissions to create or update gateways.gateway.networking.k8s.io in their own namespaces.

You are not affected if any of this: - You only use KIC for Ingress resources (not Gateway API). - Your GatewayClass uses the konghq.com/gateway-unmanaged annotation. - KIC is restricted via RBAC or configuration to only watch a single namespace. - You have strictly limited Gateway creation/modification permissions to trusted cluster administrators only.

Mitigation

  1. Add unmanaged gateway annotation: add the konghq.com/gateway-unmanaged annotation to your GatewayClass

Additional best practicies

  1. Restrict Gateway RBAC: Limit the ability to create or modify Gateway resources to high-trust administrative users until a patch is applied.
  2. Namespace Isolation: If possible, limit the namespaces KIC is permitted to watch using the WATCH_NAMESPACE environment variable or specific RBAC RoleBindings.

Fix

The fix mandates ReferenceGrant validation for all cross-namespace certificate references. By requiring a Programmed: True listener status, the translator now strictly authorizes external Secret access while maintaining default access for same-namespace certificates, effectively closing the exfiltration vector.

Fixed in #7920, with backports to supported release branches in #7921 and #7922.

Upgrade to one of the following patched versions (or later): - 3.4.14 - 3.5.7

CVSS

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P = 5.6 Medium

Severity
5.6 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kong/kubernetes-ingress-controller/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "3.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.13"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kong/kubernetes-ingress-controller/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kong/kubernetes-ingress-controller/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.12.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kong/kubernetes-ingress-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T19:30:23Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In \"managed\" mode (where the `GatewayClass` lacks an unmanaged annotation), the Gateway TLS translator skips critical status checks. This bypass allows the translator to fetch Secrets from any namespace KIC watches, even when a `ReferenceGrant` explicitly denies access or is missing.\n\nAn actor with RBAC permissions to create or modify Gateways in a low-privileged namespace can reference a Secret in a high-privileged namespace, causing KIC to \"leak\" that Secret\u0027s sensitive private key material into the Kong dataplane configuration.\n\n## Am I affected?\n\nYou are affected if all of these hold:\n1. You are using Kong Ingress Controller with the **Gateway API**.\n2. Your `GatewayClass` is operating in **managed mode** (default behavior, no unmanaged annotation).\n3. KIC is configured to **watch multiple namespaces** (multi-tenant environment).\n4. Users have RBAC permissions to `create` or `update` `gateways.gateway.networking.k8s.io` in their own namespaces.\n\nYou are not affected if any of this:\n- You only use KIC for `Ingress` resources (not Gateway API).\n- Your `GatewayClass` uses the `konghq.com/gateway-unmanaged` annotation.\n- KIC is restricted via RBAC or configuration to only watch a single namespace.\n- You have strictly limited Gateway creation/modification permissions to trusted cluster administrators only.\n\n## Mitigation\n\n1. **Add unmanaged gateway annotation**: add the `konghq.com/gateway-unmanaged` annotation to your `GatewayClass`\n\n### Additional best practicies\n\n1. **Restrict Gateway RBAC**: Limit the ability to create or modify Gateway resources to high-trust administrative users until a patch is applied.\n2. **Namespace Isolation**: If possible, limit the namespaces KIC is permitted to watch using the `WATCH_NAMESPACE` environment variable or specific RBAC RoleBindings.\n\n## Fix\n\nThe fix mandates `ReferenceGrant` validation for all cross-namespace certificate references. By requiring a `Programmed: True` listener status, the translator now strictly authorizes external Secret access while maintaining default access for same-namespace certificates, effectively closing the exfiltration vector.\n\nFixed in [#7920](https://github.com/Kong/kubernetes-ingress-controller/pull/7920), with backports to supported release branches in [#7921](https://github.com/Kong/kubernetes-ingress-controller/pull/7921) and [#7922](https://github.com/Kong/kubernetes-ingress-controller/pull/7922).\n\nUpgrade to one of the following patched versions (or later):\n- **3.4.14**\n- **3.5.7**\n\n## CVSS\n\n`CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P` = **5.6 Medium**",
  "id": "GHSA-m23h-6mwm-39m8",
  "modified": "2026-05-19T19:30:23Z",
  "published": "2026-05-19T19:30:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kong/kubernetes-ingress-controller/security/advisories/GHSA-m23h-6mwm-39m8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kong/kubernetes-ingress-controller/pull/7920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kong/kubernetes-ingress-controller/pull/7921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kong/kubernetes-ingress-controller/pull/7922"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kong/kubernetes-ingress-controller"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: \u0027true\u0027` annotation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.