CVE-2026-22806
📋 TL;DR
This vulnerability in vCluster Platform allows users with scoped access keys to bypass scope restrictions and access resources outside their intended scope, though they remain limited to the permissions of the key owner. It affects all vCluster Platform deployments prior to patched versions. The vulnerability enables privilege escalation within the defined permissions of the access key owner.
💻 Affected Systems
- vCluster Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with a scoped access key could access all resources available to the key owner, potentially compromising sensitive data or performing unauthorized administrative actions within the key owner's permission boundaries.
Likely Case
Users with legitimate scoped access keys unintentionally or intentionally access resources outside their intended scope, leading to data exposure or unauthorized operations within their existing permission set.
If Mitigated
With proper access controls and limited user permissions, the impact is contained to the specific resources accessible to the key owner, preventing broader system compromise.
🎯 Exploit Status
Exploitation requires a valid scoped access key. The advisory suggests the bypass is straightforward once an attacker has such a key.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.0, 4.5.4, 4.4.2, or 4.3.10
Vendor Advisory: https://github.com/loft-sh/loft/security/advisories/GHSA-c539-w4ch-7wxq
Restart Required: Yes
Instructions:
1. Identify your current vCluster Platform version. 2. Upgrade to the appropriate patched version: 4.6.0, 4.5.4, 4.4.2, or 4.3.10. 3. Restart the vCluster Platform services. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Review and restrict scoped access keys
allAudit all scoped access keys and ensure users with access have appropriate minimal permissions
# Review existing access keys and their scopes
kubectl get accesskeys -A
# Revoke unnecessary or overly permissive keys
kubectl delete accesskey <key-name> -n <namespace>
Create limited automation users
allCreate dedicated automation users with minimal permissions and use access keys only for these users
# Create service account with minimal permissions
kubectl create serviceaccount automation-user -n <namespace>
# Apply restrictive RBAC role
kubectl apply -f restrictive-role.yaml
🧯 If You Can't Patch
- Disable all scoped access keys and use only unscoped keys with appropriate permissions
- Implement network segmentation to limit access to vCluster Platform management interfaces
🔍 How to Verify
Check if Vulnerable:
Check if your vCluster Platform version is earlier than 4.6.0, 4.5.4, 4.4.2, or 4.3.10Check Version:
kubectl get deployment loft -n loft -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*'Verify Fix Applied:
Confirm the version is 4.6.0, 4.5.4, 4.4.2, or 4.3.10 or later, and test that scoped access keys cannot bypass their defined scope📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to resources outside scoped access key boundaries
- Access logs showing successful requests to resources beyond declared scope
Network Indicators:
- Unusual API call patterns from users with scoped access keys
- Requests to resources that should be blocked by scope restrictions
SIEM Query:
source="vcluster-platform" AND (event_type="access_violation" OR resource_scope_bypass="true")