CVE-2026-45726

Summary

Severity

• Attack Vector: Adjacent: the attacker needs to be in the same network to be able to access Talos/Kubernetes APIs with the compromised keys.
• Attack Complexity: High: the attacker needs a deep understanding of Omni's internals. The resource is only created for imported clusters, and is normally not represented to users via any high-level API.
• Privileges Required: Low: the role Reader is sufficient for the attacker to be able to read an imported cluster's secrets.
• User Interaction: Required: another user must have imported a cluster to Omni for this vulnerability to exist.
• Scope: Changed: the leaked CA private keys let an attacker directly get full control on Kubernetes or Talos, beyond the limitations enforced by Omni.
• Confidentiality Impact: High: full cluster CA private keys (Kubernetes, Talos, etcd, service account) are exposed.
• Integrity Impact: High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it.
• Availability Impact: High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it.

Impact

• Any Reader-level account can exfiltrate the complete CA private key hierarchy (Kubernetes CA, etcd CA, service account key) of the imported clusters whose secrets are not yet rotated ("tainted" imported clusters).
• With the Kubernetes CA private key, an attacker can sign certificates for any Kubernetes user or group, including system:masters, achieving cluster-admin access to the imported cluster entirely outside Omni's control plane.
• Impact scope extends beyond Omni to every Kubernetes workload, credential, and secret stored in the affected imported cluster.

Credit