CVE-2026-22806
Unknown Unknown - Not Provided
Access Key Scope Bypass in vCluster Platform Prior to

Publication date: 2026-01-29

Last updated on: 2026-01-29

Assigner: GitHub, Inc.

Description
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-01-29
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22806
EUVD
EUVD-2026-4960
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
loft-sh vcluster-platform to 4.3.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-22806 is a critical vulnerability in the vCluster Platform where access keys created with limited scopes intended to restrict access to specific virtual clusters can be bypassed. This means an access key scoped to one virtual cluster can be exploited to access other virtual clusters within the same user's accessible environment. However, the user cannot access resources beyond what they are originally authorized to access. The vulnerability is fixed in versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker with high privileges and access to a scoped access key to bypass the intended scope restrictions and access additional virtual clusters and resources within the same user's environment. This can lead to significant confidentiality, integrity, and availability impacts, including unauthorized data access, modification, and disruption of services. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the vCluster Platform to versions 4.6.0, 4.5.4, 4.4.2, or 4.3.10 where the vulnerability is fixed. If upgrading is not immediately possible, review all scoped access keys to ensure that users with access to these keys have appropriate permissions. Additionally, create automation users with very limited permissions and use access keys for these users as a temporary workaround to limit exposure. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart