CVE-2024-46528

MEDIUM

KubeSphere 3.x-3.4.1, 3.x-3.5.0, 4.x<4.1.3 - Authenticated Insecure Direct Object Reference

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-46528. PoCs published by Okan Kurtulus.

AI-analyzed exploit summary This exploit describes an Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere, allowing unauthorized access to cluster information and user data by a low-privileged user. The writeup lists accessible endpoints but does not include executable code.

Description

An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere 4.x before 4.1.3 and 3.x through 3.4.1 and KubeSphere Enterprise 4.x before 4.1.3 and 3.x through 3.5.0 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.

Exploits (1)

exploitdb WRITEUP
by Okan Kurtulus · webappsmultiple
https://www.exploit-db.com/exploits/52097

This exploit describes an Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere, allowing unauthorized access to cluster information and user data by a low-privileged user. The writeup lists accessible endpoints but does not include executable code.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: KubeSphere >= 4.0.0 & < 4.1.3, >= 3.0.0 & < 3.4.1
Auth required
Prerequisites: Valid credentials for a low-privileged user (e.g., platform-regular)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 4.3
EPSS 0.0216
EPSS Percentile 84.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (1)
kubesphere/kubesphere 4.0.0 - 4.1.3Go
Published Oct 14, 2024
Tracked Since Feb 18, 2026