CVE-2026-62290
Received Received - Intake

Privilege Escalation in cert-manager via Unauthorized Challenge Creation

Vulnerability report for CVE-2026-62290, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. From 1.18.0 until 1.19.6 and 1.20.3, Challenge resources under acme.cert-manager.io can be created directly by namespace users without admission validation tying the Challenge to an Order, owner reference, or Issuer-selected solver, allowing attacker-controlled Challenge.spec.solver values referencing a ClusterIssuer to bypass DNS01 solver selectors such as dnsZones, dnsNames, and matchLabels and cause cert-manager to use ClusterIssuer DNS credentials for attacker-selected provider settings and DNS names, including disclosure of X-Api-User and X-Api-Key headers for acme-dns. This issue is fixed in versions 1.19.6 and 1.20.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
cert-manager cert-manager 1.18.0
cert-manager cert-manager 1.19.6
cert-manager cert-manager 1.20.2
cert-manager cert-manager From 1.18.0 (inc) to 1.20.3 (exc)
jetstack cert-manager From 1.18.0 (inc) to 1.19.6 (exc)
jetstack cert-manager 1.19.6
jetstack cert-manager 1.20.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62290 is a vulnerability in cert-manager where users with namespace permissions can create standalone ACME Challenge resources that bypass Issuer DNS01 solver policies and use ClusterIssuer DNS credentials. The issue occurs because cert-manager does not validate that a Challenge is owned by an Order or Issuer when created directly by a user. Attackers can bypass solver selectors like dnsZones or matchLabels and use ClusterIssuer DNS credentials for unauthorized DNS operations. This affects versions between 1.18.0 and 1.20.2.

Detection Guidance

To detect this vulnerability, check for unauthorized ACME Challenge resources created directly by namespace users. Use kubectl commands to inspect Challenge resources: kubectl get challenges -A. Look for Challenges not owned by an Order or Issuer. Also review cert-manager-edit ClusterRole permissions: kubectl get clusterrole cert-manager-edit -o yaml. Ensure it does not grant create, patch, or update permissions for Challenges or Orders.

Impact Analysis

An attacker with namespace access could create malicious Challenges referencing a ClusterIssuer, potentially exposing DNS credentials to attacker-controlled endpoints. For the acme-dns provider, this could lead to disclosure of sensitive headers like X-Api-User and X-Api-Key. The impact includes unauthorized DNS operations and credential theft.

Compliance Impact

This vulnerability could lead to unauthorized access to DNS credentials and potential data exfiltration, which may violate compliance requirements for data protection and security such as GDPR and HIPAA. Exposure of sensitive headers and DNS operations could result in regulatory penalties and loss of trust.

Mitigation Strategies

Upgrade cert-manager to versions 1.19.6, 1.20.3, or later. Remove unnecessary permissions from the cert-manager-edit ClusterRole by removing create, patch, and update verbs for Challenges and Orders. Audit existing Challenge and Order resources for unauthorized entries. Restrict namespace user permissions to prevent direct resource creation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart