CVE-2026-6383
MEDIUMKubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation
Title source: cnaDescription
A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
References (2)
Core 2
Core References
Issue Tracking, X_Refsource_Redhat issue-tracking
x_refsource_redhat
RHBZ#2458741
https://bugzilla.redhat.com/show_bug.cgi?id=2458741
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-6383
Scores
CVSS v3
5.4
EPSS
0.0015
EPSS Percentile
4.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
kubevirt.io/kubevirt
0Go
Red Hat/Red Hat OpenShift Virtualization 4
Published
Apr 15, 2026
Tracked Since
Apr 16, 2026