CVE-2026-22806

Name of the Vulnerable Software and Affected Versions vCluster Platform versions prior to 4.6.0 vCluster Platform versions prior to 4.5.4 vCluster Platform versions prior to 4.4.2 vCluster Platform versions prior to 4.3.10

Description vCluster Platform is a Kubernetes platform designed for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, a flaw exists where the scope of an access key with limited permissions could be bypassed, potentially allowing access to resources outside of the intended scope. However, access remains limited to the permissions of the access key owner. The issue allows limited access keys to bypass restrictions and access unauthorized resources.

Recommendations Versions prior to 4.6.0 should be upgraded. Versions prior to 4.5.4 should be upgraded. Versions prior to 4.4.2 should be upgraded. Versions prior to 4.3.10 should be upgraded. Review access keys with limited scope and ensure users have appropriate permissions. Create automation users with very limited permissions and use access keys for these users as a temporary workaround if upgrading is not immediately possible.