CVE-2026-59269
Received Received - Intake

Privilege Escalation in Pinniped Supervisor via AD Group Manipulation

Vulnerability report for CVE-2026-59269, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VMware

Description

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName is empty; the attacker gains the ability to edit some part of the distinguished name (DN) of group entries in the Active Directory (AD) server's database for groups to which they belong; the configured group search parameters cause the edited group to be included in the group search results for the user; and the attacker knows the password for an AD user who belongs to the edited AD group. Affected versions: Pinniped (go.pinniped.dev) v0.11.0 through v0.46.0 inclusive; fixed in v0.47.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
vmware pinniped From 0.11.0 (inc) to 0.46.0 (inc)
vmware pinniped 0.47.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59269 is a privilege escalation vulnerability in VMware Pinniped Supervisor that affects Kubernetes clusters. It occurs when the Pinniped Supervisor is configured with an ActiveDirectoryIdentityProvider resource where the groupSearch.attributes.groupName is empty. An attacker who can edit the distinguished name (DN) of Active Directory (AD) group entries they belong to, and who knows the password of an AD user in that group, can manipulate the DN to alter the Kubernetes group name. This manipulation allows the attacker to gain elevated permissions within the Kubernetes cluster.

Impact Analysis

This vulnerability can allow an attacker to escalate their privileges within Kubernetes clusters managed by Pinniped Supervisor. Specifically, by exploiting the ability to edit their AD group's distinguished name and knowing a valid AD user's password, the attacker can gain elevated permissions in the cluster. This could lead to unauthorized access or control over cluster resources.

Detection Guidance

Detection of this vulnerability involves verifying the configuration of the Pinniped Supervisor and the ActiveDirectoryIdentityProvider resource.

  • Check if Pinniped Supervisor is running a vulnerable version (v0.11.0 through v0.46.0).
  • Verify if the ActiveDirectoryIdentityProvider resource is configured with an empty groupSearch.attributes.groupName.
  • Confirm if users have the ability to edit the distinguished name (DN) of their AD group entries.

Suggested commands include inspecting the Pinniped Supervisor version and configuration, for example:

  • kubectl get pods -n pinniped -o jsonpath='{.items[*].spec.containers[*].image}' # to check Pinniped Supervisor version
  • kubectl get activedirectoryidentityprovider -o yaml # to review ActiveDirectoryIdentityProvider resource configuration
  • Review Active Directory permissions and audit logs to detect unauthorized edits to group distinguished names.
Mitigation Strategies

Immediate mitigation steps include upgrading and configuration changes to prevent exploitation.

  • Upgrade Pinniped Supervisor to version 0.47.0 or later where the vulnerability is fixed.
  • Configure the ActiveDirectoryIdentityProvider resource to set the groupSearch.attributes.groupName to a non-empty value.
  • Prevent users from having the ability to edit the distinguished name (DN) of their Active Directory group entries.
Compliance Impact

This vulnerability allows an attacker to gain elevated permissions in Kubernetes clusters under specific conditions, potentially leading to unauthorized access or privilege escalation.

Such unauthorized access could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

However, the vulnerability has a low severity score and requires multiple specific conditions, including high privileges and knowledge of AD user credentials, which may limit its practical impact.

Mitigation by upgrading to Pinniped Supervisor v0.47.0 or later and configuring groupName attributes properly can reduce the risk and help maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59269. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart