GHSA-mw9r-p8xp-wx96

Source

https://github.com/advisories/GHSA-mw9r-p8xp-wx96

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-mw9r-p8xp-wx96/GHSA-mw9r-p8xp-wx96.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mw9r-p8xp-wx96

Aliases

CVE-2026-55225

Published

2026-06-18T13:04:43Z

Modified

2026-06-18T13:16:05.179427074Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`

Details

Impact

Having the Topic and User operators to watch different namespaces than the one where the Kafka cluster is deployed, is a fully documented feature.

When the watchedNamespace field is used within the Topic or User operator (as part of the Kafka.spec.entityOperator field), the Cluster Operator creates a Role granting full CRUD on Secrets into the specified namespace. It also creates a RoleBinding to bind such Role to the entity operator ServiceAccount within the namespace where the Kafka cluster runs.

An attacker can craft a Kafka custom resource (in an attacker's namespace) with the watchedNamespace field set to a target namespace and then they can mint a token for the ServiceAccount (in the attacker's namespace) to read/write Secrets in that target. This is valid with any target namespace for which the Cluster Operator has the rights (regardless the value of the STRIMZI_NAMESPACE environment variable). The at-risk target namespaces are the namespaces which the user has given permissions to the Cluster Operator for, by creating related RoleBinding(s).

Patches

The issue is fixed in Strimzi 1.0.1 and 1.1.0 by adding a control to enable the watched namespace feature through a dedicated environment variable within the Cluster Operator deployment. The watched namespaces feature is disabled by default.

Workarounds

A possible workaround for this issue is about using a policy agent like Kyverno or OPA to prevent the usage of the watchedNamespace at configuration level within the Kafka custom resource.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-18T13:04:43Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-269",
        "CWE-441"
    ]
}

References

Affected packages

Maven / io.strimzi:strimzi

Package

Name: io.strimzi:strimzi; View open source insights on deps.dev
Purl: pkg:maven/io.strimzi/strimzi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.1

Affected versions

0.*

0.9.0

0.10.0

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.12.0

0.12.1

0.12.2

0.13.0

0.14.0

0.15.0

0.16.0

0.16.1

0.16.2

0.17.0

0.18.0

0.19.0

0.20.0

0.20.1

0.21.0

0.21.1

0.22.0

0.22.1

0.23.0

0.24.0

0.25.0

0.26.0

0.26.1

0.27.0

0.27.1

0.28.0

0.29.0

0.30.0

0.31.0

0.31.1

0.32.0

0.33.0

0.33.1

0.33.2

0.34.0

0.35.0

0.35.1

0.36.0

0.36.1

0.37.0

0.38.0

0.39.0

0.40.0

0.41.0

0.42.0

0.43.0

0.44.0

0.45.0

0.45.1-RC1

0.45.1

0.45.2-RC1

0.45.2

0.46.0

0.46.1-RC1

0.46.1

0.47.0-RC1

0.47.0

0.48.0-RC1

0.48.0

0.49.0-RC1

0.49.0-RC2

0.49.0

0.49.1-RC1

0.49.1

0.50.0-RC1

0.50.0

0.50.1-RC1

0.50.1

0.51.0-RC1

0.51.0-RC2

0.51.0

1.*

1.0.0-RC1

1.0.0-RC2

1.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-mw9r-p8xp-wx96/GHSA-mw9r-p8xp-wx96.json"

last_known_affected_version_range

"<= 1.0.0"