CVE-2026-22806

CRITICAL EPSS 35.5%

Published Jan 29, 20265mo ago · Modified Jun 17, 20261w ago

9.1 CVSS 3.1

Critical

Published Jan 29, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed.

CVSS Details

Base Score

9.1

Exploitability

2.3

Impact

6.0

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

35.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

References 1

github.com https://github.com/loft-sh/loft/security/advisories/GHSA-c539-w4ch-7wxq

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.