DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39961: CVE-2026-39961: Cross-Namespace Secret Exfiltration via Confused Deputy in Aiven Operator

#security #cve #cybersecurity

CVE-2026-39961: Cross-Namespace Secret Exfiltration via Confused Deputy in Aiven Operator

Vulnerability ID: CVE-2026-39961
CVSS Score: 6.8
Published: 2026-04-10

The Aiven Operator for Kubernetes (versions 0.31.0 through 0.36.x) contains a critical privilege escalation and data exfiltration vulnerability. A low-privileged user with permission to create specific Custom Resource Definitions (CRDs) can exploit a confused deputy flaw in the operator's reconciliation loop to read sensitive Kubernetes Secrets from any namespace in the cluster.

TL;DR

A confused deputy vulnerability in Aiven Operator allows attackers with restricted CRD creation privileges to exfiltrate secrets from arbitrary namespaces by manipulating the connInfoSecretSource configuration.

Technical Details

  • CWE ID: CWE-269, CWE-441
  • Attack Vector: Network (via Kubernetes API)
  • CVSS Score: 6.8 (Medium)
  • EPSS Score: 0.00025 (0.03% probability)
  • Impact: Cross-Namespace Secret Exfiltration
  • Exploit Status: None public
  • KEV Status: Not Listed

Affected Systems

  • Aiven Operator (Kubernetes Operator)
  • aiven-operator: v0.31.0 - < v0.37.0 (Fixed in: v0.37.0)

Code Analysis

Commit: 032c9ba

Fix cross-namespace secret exfiltration vulnerability by removing user-defined namespace from ConnInfoSecretSource.

Removed `Namespace` field from `api/v1alpha1/common.go` and enforced `resource.GetNamespace()` in `controllers/secret_password_manager.go`.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the Aiven Operator to version 0.37.0 or later.
  • Implement Validating Admission Webhooks (e.g., Kyverno or OPA Gatekeeper) to block CRDs specifying the namespace field.
  • Enforce principle of least privilege for operator ClusterRoles where cross-namespace secret access is not strictly required.

Remediation Steps:

  1. Identify the current version of the Aiven Operator deployed in the cluster using kubectl get deployments -n aiven-operator.
  2. Review the cluster's custom resources for any ClickhouseUser or ServiceUser objects that currently rely on the cross-namespace secret source feature.
  3. Update the configurations of the identified resources to ensure secrets are located in the same namespace as the CRD.
  4. Update the Aiven Operator manifests or Helm charts to reference image tag v0.37.0.
  5. Apply the updated manifests to the cluster and verify the operator pods restart successfully.
  6. Query API server audit logs for malicious use of the connInfoSecretSource.namespace parameter prior to patching.

References

Read the full report for CVE-2026-39961 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)