Bug 2458741 (CVE-2026-6383)

Summary:	CVE-2026-6383 kubevirt: KubeVirt: Unauthorized subresource access due to improper RBAC evaluation
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	fdeutsch, oramraz, smullick, stirabos, thason
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-15 18:08:01 UTC

A flaw was found in KubeVirt's RBAC (Role-Based Access Control) evaluation logic. The authorization mechanism improperly truncates subresource names during evaluation. This causes requests for granular subresources, such as vnc/screenshot or sev/*, to be incorrectly evaluated against their parent resource permissions (e.g., vnc or sev). As a result, the RBAC engine fails to enforce the intended granular access controls. This can cause legitimate users to be denied access or allow authenticated users with specific custom roles to gain unauthorized access to subresources.