{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6383", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-15T18:03:12.839Z", "datePublished": "2026-04-15T18:22:30.589Z", "dateUpdated": "2026-04-15T18:40:31.052Z"}, "containers": {"cna": {"title": "Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "kubevirt", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:container_native_virtualization:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6383", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458741", "name": "RHBZ#2458741", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-15T18:03:18.572Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-863: Incorrect Authorization", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2026-04-15T18:00:56.227Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-15T18:03:18.572Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-15T18:22:30.589Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:40:06.751506Z", "id": "CVE-2026-6383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:40:31.052Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:40:06.751506Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:40:25.744Z"}}], "cna": {"title": "Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:container_native_virtualization:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "packageName": "kubevirt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-04-15T18:00:56.227Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-15T18:03:18.572Z", "value": "Made public."}], "datePublic": "2026-04-15T18:03:18.572Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6383", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458741", "name": "RHBZ#2458741", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "Incorrect Authorization"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-15T18:22:30.589Z"}, "x_redhatCweChain": "CWE-863: Incorrect Authorization"}}, "cveMetadata": {"cveId": "CVE-2026-6383", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:40:31.052Z", "dateReserved": "2026-04-15T18:03:12.839Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-15T18:22:30.589Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources."}], "id": "CVE-2026-6383", "lastModified": "2026-04-17T15:08:01.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-15T19:16:38.520", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-6383"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458741"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "kubevirt: KubeVirt: Unauthorized subresource access due to improper RBAC evaluation", "id": "2458741", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458741"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-863", "details": ["A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-6383", "package_state": [{"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-15T18:03:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6383\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6383"], "statement": "This issue has a Low impact on Red Hat products. A flaw in KubeVirt's RBAC evaluation logic improperly truncates subresource names, leading to incorrect authorization for granular subresources. This can result in legitimate users being denied access or authenticated users with specific custom roles gaining unauthorized access to subresources.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "Red Hat OpenShift Virtualization 4", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_virtualization", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-16T02:29:17.602831+00:00", "value": {"mitigation_remediation": ["Apply Red\u202fHat releases that include the fix as soon as they become available", "Audit and prune custom RBAC roles, ensuring they only grant necessary subresource permissions", "Configure or monitor audit logs for anomalous subresource access to detect potential abuse"], "summary": {"action": "Assess Impact", "impact": "Unauthorized subresource access due to improper RBAC evaluation"}, "threat_synthesis": {"affected_systems": "This issue affects Red\u202fHat OpenShift Virtualization\u202f4, specifically the Container Native Virtualization product version\u202f4. No further version specifics are currently listed, so all installations within this product line are potentially impacted.", "description_and_impact": "The vulnerability in KubeVirt lies in its RBAC evaluation logic, where subresource names are improperly truncated. This flaw causes the authorization mechanism to incorrectly grant or deny permissions, allowing authenticated users with custom roles to act on subresources they should not control. Consequently, attackers could disclose sensitive data or perform unauthorized operations, and honest users may experience denied access to legitimate resources. The weakness corresponds to CWE\u2011863, indicating a depletion of permissions-checking controls.", "risk_and_exploitability": "The CVSS score of 5.4 places the vulnerability in the medium severity range. EPSS data is not available, and the CISA KEV catalog does not list it, indicating no confirmed widespread exploitation yet. The likely exploitation scenario requires an authenticated user with a custom role that includes subresource permissions; the attacker can then make requests to subresources that are incorrectly evaluated. As there is no publicly available exploit code noted, the primary risk remains the potential for unauthorized access and denial of service caused by mis\u2011evaluated roles."}}}}, "created": "2026-04-16T02:30:21.690355+00:00", "updated": "2026-04-16T09:12:30.466348+00:00", "vendors": ["redhat", "redhat$PRODUCT$openshift_virtualization"]}