CVE-2026-6383

MEDIUM

Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

Title source: cna

Description

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.

References (2)

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2458741

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-6383

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

kubevirt.io/kubevirt 0Go

Red Hat/Red Hat OpenShift Virtualization 4

Published Apr 15, 2026

Tracked Since Apr 16, 2026