CVE-2026-42541

Name of the Vulnerable Software and Affected Versions Kubewarden versions prior to 1.35.0

Description An attacker with permissions to create AdmissionPolicy or AdmissionPolicyGroup can craft a policy using the can i host callback to enumerate RBAC permissions of any user or service account across the cluster. The can i callback fails to enforce the context-aware allow-list via the can access kubernetes resource() function, forwarding requests directly to the callback handler. This handler executes a SubjectAccessReview (SAR)—a request to determine if a specific user or group has permission to perform a specific action on a resource—using policy-server privileges. This creates an authorization gap allowing for information disclosure and reconnaissance, enabling an attacker to identify if service accounts can perform actions such as getting secrets, creating pods, or binding clusterroles in specific namespaces.

Recommendations Update to version 1.35.0 and for custom PolicyServers, set PolicyServer.spec.namespacedPoliciesCapabilities to an empty list [] to disallow capabilities. Update to version 1.35.0 and for the default PolicyServer, set .Values.policyServer.namespacedPoliciesCapabilities to an empty list [] to disallow capabilities. Ensure namespaced AdmissionPolicies or AdmissionPolicyGroups are scheduled in PolicyServers with reduced permissions. Restrict users from creating namespaced policies (AdmissionPolicies, AdmissionPolicyGroups). Remove SubjectAccessReview "create" permissions from the RBAC of the PolicyServer ServiceAccount being used in custom and default PolicyServers.