CVE-2026-42541

Source
https://cve.org/CVERecord?id=CVE-2026-42541
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42541.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42541
Aliases
Published
2026-05-12T17:57:54.665Z
Modified
2026-07-08T08:13:25.037097244Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Kubewarden: RBAC Reconnaissance via unchecked can_i host capability call
Details

Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the cani host callback. The callback issues a SubjectAccessReview (SAR) requests to enumerate RBAC permissions of any user or service account across the cluster. cani does not perform that check to enforce the context-aware allow-list and forwards the request directly to the callback handler, which executes a real SubjectAccessReview using policy-server privileges. This creates a policy-level authorization gap: can_i is effectively usable even when the policy has no context-aware resource grant. This is an information disclosure / reconnaissance issue, and not direct workload data exfiltration. The attacker learns permission information, such as whether specific service accounts can "get secrets", "create pods", or "bind clusterroles" in chosen namespaces. This vulnerability is fixed in .

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42541.json"
}
References

Affected packages

Git / github.com/kubewarden/adm-controller

Affected ranges

Type
GIT
Repo
https://github.com/kubewarden/adm-controller
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.35.0"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.1.0
v0.1.0-rc1
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.5-rc1
v0.5.1
v0.5.2
v0.5.2-rc
v0.5.2-rc2
v0.5.3
v0.5.4
v0.5.5
v1.*
v1.0.0
v1.0.0-rc1
v1.0.0-rc3
v1.0.0-rc4
v1.1.0
v1.1.1
v1.10.0
v1.10.0-rc1
v1.10.0-rc2
v1.10.1
v1.11.0
v1.11.0-rc1
v1.11.0-rc2
v1.11.0-rc3
v1.11.0-rc4
v1.11.0-rc5
v1.11.0-rc6
v1.12.0
v1.12.0-rc1
v1.12.0-rc2
v1.13.0
v1.13.0-rc1
v1.13.0-rc2
v1.14.0
v1.14.0-rc1
v1.14.0-rc2
v1.15.0
v1.15.0-rc2
v1.15.0-rc3
v1.15.1
v1.16.0
v1.16.0-rc2
v1.17.0
v1.17.0-rc1
v1.17.0-rc2
v1.17.0-rc3
v1.17.0-rc4
v1.17.1
v1.18.0
v1.18.0-beta1
v1.18.0-rc1
v1.19.0
v1.19.0-beta1
v1.19.0-rc1
v1.20.0
v1.20.0-rc1
v1.20.1
v1.21.0
v1.21.0-rc1
v1.21.0-rc2
v1.22.0
v1.22.0-rc1
v1.23.0
v1.23.0-beta1
v1.23.0-beta2
v1.23.0-rc1
v1.24.0
v1.24.0-rc1
v1.24.0-rc3
v1.25.0
v1.25.0-rc1
v1.26.0
v1.26.0-rc1
v1.27.0
v1.27.0-rc1
v1.28.0
v1.28.0-rc1
v1.29.0
v1.29.0-rc1
v1.29.0-rc2
v1.29.0-rc3
v1.3.0
v1.3.0-rc1
v1.3.0-rc2
v1.3.0-rc3
v1.30.0
v1.30.0-rc1
v1.30.0-rc2
v1.31.0
v1.31.0-rc1
v1.32.0
v1.32.0-rc1
v1.32.0-rc2
v1.32.0-rc3
v1.32.0-rc4
v1.32.0-rc5
v1.32.1
v1.33.0
v1.33.0-rc1
v1.33.0-rc2
v1.33.0-rc3
v1.33.1
v1.34.0
v1.34.0-rc1
v1.34.0-rc2
v1.34.1
v1.34.2
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.6.0
v1.6.0-rc1
v1.6.0-rc3
v1.6.0-rc5
v1.6.1
v1.6.2
v1.7.0
v1.7.0-rc1
v1.7.0-rc2
v1.7.0-rc3
v1.7.1
v1.8.0
v1.8.0-rc1
v1.8.0-rc2
v1.8.1
v1.8.2
v1.9.0
v1.9.0-rc1
v1.9.0-rc2
v1.9.0-rc3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42541.json"