K8S.Io Kubernetes vulnerabilities

CVE-2025-13281 [MEDIUM] CWE-918 kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected

CVE-2025-5187 [MEDIUM] CWE-863 Kubernetes Nodes can delete themselves by adding an OwnerReference Kubernetes Nodes can delete themselves by adding an OwnerReference A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be dele

CVE-2025-4563 [LOW] CWE-863 kubernetes allows nodes to bypass dynamic resource allocation authorization checks kubernetes allows nodes to bypass dynamic resource allocation authorization checks A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform

CVE-2024-7598 Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes

CVE-2024-9042 [MEDIUM] CWE-20 Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is runni

CVE-2025-1767 [MEDIUM] CWE-20 Kubernetes GitRepo Volume Inadvertent Local Repository Access Kubernetes GitRepo Volume Inadvertent Local Repository Access A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the sam

CVE-2025-0426 [MEDIUM] CWE-400 Node Denial of Service via kubelet Checkpoint API Node Denial of Service via kubelet Checkpoint API A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

CVE-2024-10220 [HIGH] CWE-22 Kubernetes kubelet arbitrary command execution Kubernetes kubelet arbitrary command execution The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.

CVE-2024-0793 [HIGH] CWE-20 Kubernetes Nil pointer dereference in KCM after v1 HPA patch request Kubernetes Nil pointer dereference in KCM after v1 HPA patch request A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.

CVE-2022-3294 Kubernetes vulnerable to validation bypass in k8s.io/kubernetes Kubernetes vulnerable to validation bypass in k8s.io/kubernetes Kubernetes vulnerable to validation bypass in k8s.io/kubernetes

CVE-2022-3162 Kubernetes vulnerable to path traversal in k8s.io/kubernetes Kubernetes vulnerable to path traversal in k8s.io/kubernetes Kubernetes vulnerable to path traversal in k8s.io/kubernetes

CVE-2024-5321 [HIGH] CWE-276 Kubernetes sets incorrect permissions on Windows containers logs Kubernetes sets incorrect permissions on Windows containers logs A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs.

CVE-2020-8557 Denial of service in Kubernetes in k8s.io/kubernetes Denial of service in Kubernetes in k8s.io/kubernetes Denial of service in Kubernetes in k8s.io/kubernetes

CVE-2019-11245 Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes

CVE-2020-8563 Sensitive Information leak for VSphere users via Log File in k8s.io/kubernetes Sensitive Information leak for VSphere users via Log File in k8s.io/kubernetes Sensitive Information leak for VSphere users via Log File in k8s.io/kubernetes

CVE-2020-8566 Sensitive Information leak for users of Ceph RBD via Log File in k8s.io/kubernetes Sensitive Information leak for users of Ceph RBD via Log File in k8s.io/kubernetes Sensitive Information leak for users of Ceph RBD via Log File in k8s.io/kubernetes

CVE-2020-8559 [MEDIUM] CWE-601 Privilege Escalation in Kubernetes Privilege Escalation in Kubernetes The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.7 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

CVE-2024-3177 [LOW] CWE-20 Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field popu

CVE-2023-5528 [HIGH] CWE-20 Kubernetes Improper Input Validation vulnerability Kubernetes Improper Input Validation vulnerability A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

CVE-2023-3955 [HIGH] CWE-20 Kubernetes privilege escalation vulnerability Kubernetes privilege escalation vulnerability A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.