{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39961", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.822Z", "datePublished": "2026-04-09T17:14:07.330Z", "dateUpdated": "2026-04-10T14:08:22.087Z"}, "containers": {"cna": {"title": "Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-441", "lang": "en", "description": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72"}, {"name": "https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182", "tags": ["x_refsource_MISC"], "url": "https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182"}, {"name": "https://github.com/aiven/aiven-operator/releases/tag/v0.37.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/aiven/aiven-operator/releases/tag/v0.37.0"}], "affected": [{"vendor": "aiven", "product": "aiven-operator", "versions": [{"version": "< 0.37.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:14:07.330Z"}, "descriptions": [{"lang": "en", "value": "Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace \u2014 production database credentials, API keys, service tokens \u2014 with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace. The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary \u2014 the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists. This vulnerability is fixed in 0.37.0."}], "source": {"advisory": "GHSA-99j8-wv67-4c72", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:08:13.060841Z", "id": "CVE-2026-39961", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:08:22.087Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:08:13.060841Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:08:16.792Z"}}], "cna": {"title": "Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource", "source": {"advisory": "GHSA-99j8-wv67-4c72", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aiven", "product": "aiven-operator", "versions": [{"status": "affected", "version": "< 0.37.0"}]}], "references": [{"url": "https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72", "name": "https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182", "name": "https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/aiven/aiven-operator/releases/tag/v0.37.0", "name": "https://github.com/aiven/aiven-operator/releases/tag/v0.37.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace \u2014 production database credentials, API keys, service tokens \u2014 with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace. The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary \u2014 the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists. This vulnerability is fixed in 0.37.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-441", "description": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:14:07.330Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39961", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:08:22.087Z", "dateReserved": "2026-04-07T22:40:33.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T17:14:07.330Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aiven:aiven_operator:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5AF06D3-28FA-443E-9DFC-D2212C1434E6", "versionEndExcluding": "0.37.0", "versionStartIncluding": "0.31.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace \u2014 production database credentials, API keys, service tokens \u2014 with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace. The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary \u2014 the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists. This vulnerability is fixed in 0.37.0."}], "id": "CVE-2026-39961", "lastModified": "2026-05-13T16:06:00.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T18:17:02.053", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aiven/aiven-operator/commit/032c9ba63257fdd2fddfb7f73f71830e371ff182"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/aiven/aiven-operator/releases/tag/v0.37.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aiven/aiven-operator/security/advisories/GHSA-99j8-wv67-4c72"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-441"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.37.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "aiven-operator", "source": "cna", "vendor": "aiven"}, "product": "aiven-operator", "vendor": "aiven"}], "analysis": {"en": {"generated_at": "2026-04-09T18:20:48.691319+00:00", "value": {"mitigation_remediation": ["Upgrade the Aiven Operator to version 0.37.0 or later, which removes the unvalidated namespace reference.", "If upgrading is not immediately possible, limit the operator\u2019s ServiceAccount permissions so it does not have cluster\u2011wide secret read/write rights.", "Ensure that ClickhouseUser specifications do not reference namespaces outside the current one and verify that no custom webhooks exist to enforce this boundary."], "summary": {"action": "Immediate Patch", "impact": "Secret exfiltration across namespaces"}, "threat_synthesis": {"affected_systems": "This flaw affects the Aiven Operator, a Kubernetes operator for provisioning Aiven services. Vulnerable releases are from 0.31.0 up to, but not including, 0.37.0. Any deployment running these versions is susceptible to the exploit if a user can create ClickhouseUser resources in their namespace.", "description_and_impact": "The Aiven Operator in versions 0.31.0 through 0.36.x allows a user with create permission on ClickhouseUser objects in their own namespace to read secrets from any other namespace. When a ClickhouseUser is applied, the operator interprets the spec.connInfoSecretSource.namespace field without validation and copies the referenced secret into a new secret in the attacker\u2019s namespace. This produces unauthorized exposure of production database credentials, API keys, and service tokens. The weakness is a confused deputy scenario where the operator\u2019s ServiceAccount holds cluster\u2011wide secret read/write permissions, allowing the user to exploit the operator\u2019s trust of user\u2011supplied namespace values. The impact is confidentiality violation, potentially leading to compromised services and data leakage.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.8, indicating moderate severity. EPSS data is unavailable, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be local within the cluster: an attacker must have permission to create ClickhouseUser resources in their own namespace and the operator will then read secrets from other namespaces due to its cluster\u2011wide role. The operator\u2019s lack of admission validation and the absence of a dedicated webhook amplify the exploitation path. All these factors combine to present a clear risk of unauthorized secret disclosure to any component that can install a vulnerable operator version."}}}}, "created": "2026-04-10T08:52:47.747245+00:00", "updated": "2026-04-10T09:31:58.883474+00:00", "vendors": ["aiven", "aiven$PRODUCT$aiven-operator"]}