GHSA-99j8-wv67-4c72
Suggest an improvement- Source
- https://github.com/advisories/GHSA-99j8-wv67-4c72
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-99j8-wv67-4c72/GHSA-99j8-wv67-4c72.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-99j8-wv67-4c72
- Aliases
-
- CVE-2026-39961
- Published
- 2026-04-10T17:22:00Z
- Modified
- 2026-04-10T17:33:55.581600Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
- Details
-
Impact
A developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database credentials, API keys, service tokens — with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace.
The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary — the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists.
Patches
This vulnerability is resolved in version 0.37.0. We recommend all users update as soon as possible.
Credits
Credits to Andrés Cruciani for finding and reporting the bug through our bug bounty program
- Database specific
{ "cwe_ids": [ "CWE-269", "CWE-441" ], "github_reviewed": true, "github_reviewed_at": "2026-04-10T17:22:00Z", "nvd_published_at": "2026-04-09T18:17:02Z", "severity": "MODERATE" }- References
-
- https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72
- https://nvd.nist.gov/vuln/detail/CVE-2026-39961
- https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182
- https://github.com/aiven/aiven-operator
- https://github.com/aiven/aiven-operator/releases/tag/v0.37.0
Affected packages
Go / github.com/aiven/aiven-operator
Package
- Name
- github.com/aiven/aiven-operator
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/aiven/aiven-operator