FKIE_CVE-2026-29773

Vulnerability from fkie_nvd - Published: 2026-03-10 17:39 - Updated: 2026-03-11 13:53
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation. An attacker with privileged "AdmissionPolicy" create permissions (which isn't the default) could make use of 3 deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. The attacker can craft a policy that exercises these deprecated API calls and would allow them read access to Ingresses, Namespaces, and Services resources respectively. This attack is read-only, there is no write capability and no access to Secrets, ConfigMaps, or other resource types beyond these three.
References
security-advisories@github.comhttps://github.com/kubewarden/kubewarden-controller/commit/4e41b60ae44902d82d94101bac93fb77cae65651
security-advisories@github.comhttps://github.com/kubewarden/kubewarden-controller/pull/1519
security-advisories@github.comhttps://github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-6r7f-3fwq-hq74
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation. An attacker with privileged \"AdmissionPolicy\" create permissions (which isn\u0027t the default) could make use of 3 deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. The attacker can craft a policy that exercises these deprecated API calls and would allow them read access to Ingresses, Namespaces, and Services resources respectively. \nThis attack is read-only, there is no write capability and no access to Secrets, ConfigMaps, or other resource types beyond these three."
    },
    {
      "lang": "es",
      "value": "Kubewarden es un motor de pol\u00edticas para Kubernetes. Los operadores de cl\u00faster de Kubewarden pueden otorgar permisos a los usuarios para desplegar AdmissionPolicies y AdmissionPolicyGroups con \u00e1mbito de nombre de espacio en sus Namespaces. Una de las promesas de Kubewarden es que los usuarios configurados pueden desplegar pol\u00edticas con \u00e1mbito de nombre de espacio de manera segura, sin escalada de privilegios. Un atacante con permisos privilegiados de creaci\u00f3n de \u0027AdmissionPolicy\u0027 (lo cual no es el valor predeterminado) podr\u00eda hacer uso de 3 API de devoluci\u00f3n de llamada de host obsoletas: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. El atacante puede elaborar una pol\u00edtica que utilice estas llamadas a la API obsoletas y les permitir\u00eda acceso de lectura a los recursos Ingresses, Namespaces y Services respectivamente.\nEste ataque es de solo lectura, no hay capacidad de escritura y no hay acceso a Secrets, ConfigMaps u otros tipos de recursos m\u00e1s all\u00e1 de estos tres."
    }
  ],
  "id": "CVE-2026-29773",
  "lastModified": "2026-03-11T13:53:47.157",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T17:39:03.210",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/kubewarden/kubewarden-controller/commit/4e41b60ae44902d82d94101bac93fb77cae65651"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/kubewarden/kubewarden-controller/pull/1519"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-6r7f-3fwq-hq74"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.