CVE-2026-29773
Received Received - Intake
Read-Only Unauthorized Access via Deprecated APIs in Kubewarden AdmissionPolicies

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation. An attacker with privileged "AdmissionPolicy" create permissions (which isn't the default) could make use of 3 deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. The attacker can craft a policy that exercises these deprecated API calls and would allow them read access to Ingresses, Namespaces, and Services resources respectively. This attack is read-only, there is no write capability and no access to Secrets, ConfigMaps, or other resource types beyond these three.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-10
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29773
EUVD
EUVD-2026-10410
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kubewarden kubewarden 1.33.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-29773 is a moderate severity vulnerability in Kubewarden, a Kubernetes policy engine. It arises from the use of three deprecated host callback APIs: kubernetes/ingresses, kubernetes/namespaces, and kubernetes/services. An attacker with privileged AdmissionPolicy create permissions (which are not granted by default) could exploit these deprecated APIs to gain unauthorized read-only access to Ingresses, Namespaces, and Services resources across namespaces.

The vulnerability is due to an incorrect authorization check (CWE-863) that failed to properly restrict access to these deprecated APIs. Although the attacker can read certain cluster information such as namespace names and labels, service details including ClusterIPs and ports, and ingress hostnames with routing rules, they cannot write or access sensitive resources like Secrets or ConfigMaps.


How can this vulnerability impact me? :

This vulnerability allows an attacker with certain privileges to perform unauthorized read-only access to cluster resources such as Ingresses, Namespaces, and Services. This can lead to information disclosure about the cluster topology, namespace details, and routing rules.

  • Exposure of namespace names and labels.
  • Disclosure of service details including ClusterIPs and ports.
  • Access to ingress hostnames and routing rules.

However, the vulnerability does not allow modification of resources or access to sensitive data like Secrets or ConfigMaps, limiting the impact to confidentiality only.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves the use of deprecated host callback APIs in Kubewarden that allow read-only access to Kubernetes resources such as Ingresses, Namespaces, and Services by users with privileged AdmissionPolicy create permissions.'}, {'type': 'paragraph', 'content': 'Detection can focus on identifying whether any AdmissionPolicies or AdmissionPolicyGroups are deployed with permissions to use these deprecated APIs or if any policies are invoking the deprecated "kubernetes" waPC binding.'}, {'type': 'paragraph', 'content': 'Since the deprecated APIs were removed in Kubewarden version 1.33.0, checking the version of your Kubewarden policy-server image can help detect vulnerability presence.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Check Kubewarden version: `kubectl get pods -n <kubewarden-namespace> -o jsonpath='{.items[*].spec.containers[*].image}'` and verify if the version is older than 1.33.0."}, {'type': 'list_item', 'content': "List AdmissionPolicies and AdmissionPolicyGroups with create permissions: `kubectl get admissionpolicies,admissionpolicygroups --all-namespaces -o yaml | grep -i 'create'` to identify if any users have privileged create permissions."}, {'type': 'list_item', 'content': 'Audit policy definitions for usage of deprecated "kubernetes" waPC binding or references to deprecated APIs by searching policy code or configurations.'}] [1, 2]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Kubewarden to version 1.33.0 or later, which removes the deprecated host callback APIs responsible for this vulnerability.'}, {'type': 'paragraph', 'content': 'As a temporary workaround before upgrading, restrict user permissions to prevent creation or modification of namespaced AdmissionPolicies or AdmissionPolicyGroups by untrusted users.'}, {'type': 'paragraph', 'content': 'Review and audit existing AdmissionPolicies to ensure they do not use deprecated APIs or bindings.'}, {'type': 'list_item', 'content': 'Upgrade policy-server images to version 1.33.0 or later.'}, {'type': 'list_item', 'content': 'Restrict AdmissionPolicy and AdmissionPolicyGroup create permissions to trusted users only.'}, {'type': 'list_item', 'content': 'Audit and remove any policies using deprecated "kubernetes" waPC bindings.'}] [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart