Bug 2490660 (CVE-2026-55226)

Summary: CVE-2026-55226 strimzi-cluster-operator: Unrestricted access to all Secrets within namespace watched by the Topic operator in Strimzi
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chfoley, rgodfrey, swoodman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
When deploying only the Topic Operator or only the User Operator via the Kafka custom resource, the Entity Operator's ServiceAccount retains RBAC rights for both operators rather than scoping permissions to the one actually deployed. This allows the ServiceAccount to access KafkaUser custom resources and Secrets even when the User Operator is not deployed, or access KafkaTopic custom resources when the Topic Operator is not deployed, violating the principle of least privilege. There is no workaround for this issue. Fixed in Strimzi 1.0.1 and 1.1.0.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-19 03:42:53 UTC
- Advisory: [GHSA-r427-j2h7-wv3m](https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-r427-j2h7-wv3m)
- Related PSIRT ticket: [PSIRTSUPT-17105](https://redhat.atlassian.net/browse/PSIRTSUPT-17105)
- Fix release: [Strimzi 1.0.1 release](https://github.com/strimzi/strimzi-kafka-operator/releases/tag/1.0.1)
- Related CVE: [CVE-2026-55225](https://access.redhat.com/security/cve/CVE-2026-55225) (discovered during same investigation)