Kubernetes RBAC बाईपास (CVE-2026-1247): क्लस्टर एडमिन एस्कलेशन सभी प्रमुख क्लाउड प्रदाताओं को प्रभावित करता है
Kubernetes 1.29-1.31 में एक गंभीर RBAC बाईपास किसी भी प्रमाणित उपयोगकर्ता को विकृत ServiceAccount टोकन प्रोजेक्शन के माध्यम से क्लस्टर-एडमिन तक एस्कलेट करने की अनुमति देता है। CVSS 9.1।
Executive Summary
A critical vulnerability in Kubernetes RBAC (Role-Based Access Control) has been discovered that allows any authenticated user — including those with minimal permissions — to escalate their privileges to full cluster-admin access. The flaw exists in how the API server processes projected ServiceAccount tokens with specially crafted audience claims.
🔴 CRITICAL — CVE-2026-1247 (CVSS 9.1)
Affected versions: Kubernetes 1.29.0–1.29.14, 1.30.0–1.30.10, 1.31.0–1.31.6
Fixed in: 1.29.15, 1.30.11, 1.31.7
Attack vector: Network/Authenticated
Exploitation: Active exploitation detected in the wild since April 3, 2026
Technical Analysis
The vulnerability resides in the kube-apiserver's token projection validation logic. When a pod requests a projected ServiceAccount token with multiple audience claims, the API server's RBAC evaluation incorrectly merges permission sets from different ClusterRoleBindings.
Attack Flow
- Attacker creates a pod spec with a projected ServiceAccount token containing crafted audience values
- The
TokenRequestAPI generates a token with overlapping audience claims - When this token is used for API authentication, the RBAC evaluator incorrectly resolves bindings from unrelated ClusterRoles
- This results in effective cluster-admin permissions for the attacker's ServiceAccount
Impact Assessment
This is as bad as it gets for Kubernetes security:
- Full cluster compromise — read/write access to all namespaces, secrets, and workloads
- Lateral movement — pivot to other clusters via shared service accounts or federated identity
- Data exfiltration — access to all ConfigMaps, Secrets (including TLS certs and cloud provider credentials)
- Supply chain risk — ability to modify running workloads, inject malicious containers, or alter CI/CD pipelines
Affected Cloud Providers
Cloud Provider Status
| Provider | Service | Status | Patch ETA |
|---|---|---|---|
| AWS | EKS | ⚠️ Vulnerable (auto-patch rolling) | April 7 |
| GKE | ✅ Patched (rapid channel) | Done | |
| Azure | AKS | ⚠️ Vulnerable | April 8 |
| DigitalOcean | DOKS | ⚠️ Vulnerable | April 9 |
Immediate Remediation
- Patch immediately — upgrade to 1.29.15, 1.30.11, or 1.31.7
- Audit ServiceAccount tokens — review all projected token configurations for anomalous audience claims
- Enable audit logging — monitor for
TokenRequestAPI calls with multiple audiences - Network policies — restrict pod-to-API-server communication where possible
- Rotate credentials — assume compromise and rotate all cluster secrets if you detect anomalous activity
Detection
Look for these indicators of compromise in your audit logs:
- TokenRequest calls with more than 2 audience values
- Unexpected
system:serviceaccountsubjects in ClusterRoleBinding audit events - ServiceAccount tokens being used from IP addresses outside normal pod CIDR ranges
- Sudden increase in secrets read operations from low-privilege namespaces