GHSA-99J8-WV67-4C72

Vulnerability from github – Published: 2026-04-10 17:22 – Updated: 2026-04-10 17:22
VLAI?
Summary
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Details

Impact

A developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database credentials, API keys, service tokens — with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace.

The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary — the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists.

Patches

This vulnerability is resolved in version 0.37.0. We recommend all users update as soon as possible.

Credits

Credits to Andrés Cruciani for finding and reporting the bug through our bug bounty program

Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aiven/aiven-operator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.31.0"
            },
            {
              "fixed": "0.37.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-441"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T17:22:00Z",
    "nvd_published_at": "2026-04-09T18:17:02Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace \u2014 production database credentials, API keys, service tokens \u2014 with a single kubectl apply. The operator reads the victim\u0027s secret using its ClusterRole and writes the password into a new secret in the attacker\u0027s namespace.\n\nThe operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary \u2014 the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists.\n\n### Patches\n\nThis vulnerability is resolved in version 0.37.0. We recommend all users update as soon as possible.\n\n### Credits\n\nCredits to Andr\u00e9s Cruciani for finding and reporting the bug through our [bug bounty program](https://bugcrowd.com/aiven-mbb-og)",
  "id": "GHSA-99j8-wv67-4c72",
  "modified": "2026-04-10T17:22:00Z",
  "published": "2026-04-10T17:22:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39961"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aiven/aiven-operator"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aiven/aiven-operator/releases/tag/v0.37.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.