剣 KENSAI
← All posts · security · 2026-04-06 · 3 min

Kubernetes RBAC बाईपास (CVE-2026-1247): क्लस्टर एडमिन एस्कलेशन सभी प्रमुख क्लाउड प्रदाताओं को प्रभावित करता है

Kubernetes 1.29-1.31 में एक गंभीर RBAC बाईपास किसी भी प्रमाणित उपयोगकर्ता को विकृत ServiceAccount टोकन प्रोजेक्शन के माध्यम से क्लस्टर-एडमिन तक एस्कलेट करने की अनुमति देता है। CVSS 9.1।


Executive Summary

A critical vulnerability in Kubernetes RBAC (Role-Based Access Control) has been discovered that allows any authenticated user — including those with minimal permissions — to escalate their privileges to full cluster-admin access. The flaw exists in how the API server processes projected ServiceAccount tokens with specially crafted audience claims.

🔴 CRITICAL — CVE-2026-1247 (CVSS 9.1)

Affected versions: Kubernetes 1.29.0–1.29.14, 1.30.0–1.30.10, 1.31.0–1.31.6
Fixed in: 1.29.15, 1.30.11, 1.31.7
Attack vector: Network/Authenticated
Exploitation: Active exploitation detected in the wild since April 3, 2026

Technical Analysis

The vulnerability resides in the kube-apiserver's token projection validation logic. When a pod requests a projected ServiceAccount token with multiple audience claims, the API server's RBAC evaluation incorrectly merges permission sets from different ClusterRoleBindings.

Attack Flow

  1. Attacker creates a pod spec with a projected ServiceAccount token containing crafted audience values
  2. The TokenRequest API generates a token with overlapping audience claims
  3. When this token is used for API authentication, the RBAC evaluator incorrectly resolves bindings from unrelated ClusterRoles
  4. This results in effective cluster-admin permissions for the attacker's ServiceAccount

Impact Assessment

This is as bad as it gets for Kubernetes security:

Affected Cloud Providers

Cloud Provider Status

ProviderServiceStatusPatch ETA
AWSEKS⚠️ Vulnerable (auto-patch rolling)April 7
GoogleGKE✅ Patched (rapid channel)Done
AzureAKS⚠️ VulnerableApril 8
DigitalOceanDOKS⚠️ VulnerableApril 9

Immediate Remediation

  1. Patch immediately — upgrade to 1.29.15, 1.30.11, or 1.31.7
  2. Audit ServiceAccount tokens — review all projected token configurations for anomalous audience claims
  3. Enable audit logging — monitor for TokenRequest API calls with multiple audiences
  4. Network policies — restrict pod-to-API-server communication where possible
  5. Rotate credentials — assume compromise and rotate all cluster secrets if you detect anomalous activity

Detection

Look for these indicators of compromise in your audit logs: