Plattform
go
Komponente
github.com/aiven/aiven-operator
Behoben in
0.37.1
0.37.0
CVE-2026-39961 is a privilege escalation vulnerability affecting the Aiven Operator, a Kubernetes operator for managing Aiven services. An attacker with create permission on ClickhouseUser Custom Resource Definitions (CRDs) can leverage a confused deputy scenario to exfiltrate secrets from any namespace within the cluster. This vulnerability impacts versions 0.36.x and is resolved in version 0.37.0.
The core of the vulnerability lies in the Aiven Operator's trust of user-supplied namespace values within the connInfoSecretSource specification. The operator's ServiceAccount possesses cluster-wide read/write access to secrets (via aiven-operator-role ClusterRole), enabling it to access sensitive data. An attacker can craft a malicious ClickhouseUser CRD that instructs the operator to read secrets from a victim's namespace and write them to a new secret within the attacker's own namespace. This effectively allows the attacker to steal production database credentials, API keys, and other sensitive tokens without requiring direct access to the victim's namespace. The blast radius is significant, as any namespace containing secrets is potentially at risk.
This vulnerability was publicly disclosed on 2026-04-10. Currently, there are no known public proof-of-concept exploits. The vulnerability's severity is assessed as medium, indicating a moderate probability of exploitation. It has not yet been added to the CISA KEV catalog. While no active campaigns are confirmed, the ease of exploitation and potential impact warrant careful monitoring and prompt remediation.
Organizations utilizing the Aiven Operator to manage Aiven services within Kubernetes clusters are at risk. This includes those with multiple namespaces containing sensitive secrets, as well as those who have granted overly permissive roles to developers or service accounts. Shared Kubernetes environments and those relying on default configurations are particularly vulnerable.
• linux / server:
jauditd -l | grep 'aiven-operator' | grep 'read secret'• kubernetes / audit:
Review Kubernetes audit logs for events where the aiven-operator ServiceAccount attempts to read secrets from namespaces it shouldn't have access to. Look for get operations on Secret resources with unusual namespace specifications.
• kubernetes / yaml:
Inspect ClickhouseUser CRD configurations for suspicious connInfoSecretSource.namespace values that might be attempting to target other namespaces.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Aiven Operator to version 0.37.0 or later, which includes the necessary validation to prevent the confused deputy attack. If an immediate upgrade is not feasible, consider implementing stricter Role-Based Access Control (RBAC) policies to limit the permissions of the aiven-operator ServiceAccount. Specifically, restrict its ability to read secrets from namespaces it doesn't explicitly need to access. Additionally, review and audit existing ClickhouseUser CRDs to identify and remove any potentially malicious configurations. After upgrading, confirm the fix by verifying that the operator no longer attempts to read secrets from unauthorized namespaces using Kubernetes audit logs.
Aktualisieren Sie Aiven Operator auf Version 0.37.0 oder höher, um die Cross-Namespace-Secret-Exfiltration-Schwachstelle zu beheben. Dieses Update behebt das Fehlen der Validierung der vom Benutzer bereitgestellten Werte in `spec.connInfoSecretSource` und verhindert so, dass der Operator Secrets unbefugt liest und schreibt.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39961 is a medium severity vulnerability in the Aiven Operator allowing developers to steal secrets from other namespaces by exploiting a confused deputy scenario. It impacts versions 0.36.x.
If you are using Aiven Operator versions 0.36.x within a Kubernetes cluster and have developers with create permission on ClickhouseUser CRDs, you are potentially affected.
Upgrade the Aiven Operator to version 0.37.0 or later. As a temporary workaround, restrict the operator's ServiceAccount permissions to limit its access to secrets.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants vigilance.
Refer to the official Aiven security advisory for detailed information and updates: [https://www.aiven.com/security/advisories](https://www.aiven.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.