EXECUTIVE SUMMARY:
CVE-2026-45730 with a CVSS score of 8.3 is a missing‑authorization flaw in the Nuclio serverless platform’s Dashboard API that affects the github.com/nuclio/nuclio package in all releases prior to version. The bug arises because the write endpoints for project management construct OPA permission options without populating the MemberIds field, causing the platform’s FilterProjectsByPermissions routine to bypass policy enforcement whenever MemberIds is empty. An attacker who holds any valid Dashboard credential—regardless of project membership—can issue crafted HTTP requests to those endpoints, supplying the target project identifier, and thereby modify configuration or delete the project. Exploitation requires only network access to the Dashboard and authenticated user credentials; no Kubernetes RBAC or additional privileges are needed. Successful exploitation grants the attacker full control over any project, resulting in the removal of all associated functions, API gateways, and events, which can disrupt production workloads, cause data loss, and breach multi‑tenant isolation. The attack is viable whenever the Dashboard is reachable and authentication is enabled but OPA checks are mis‑configured on write paths.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45730 with a CVSS score of 8.3 is a missing‑authorization flaw in the Nuclio serverless platform’s Dashboard API that affects the github.com/nuclio/nuclio package in all releases prior to version. The bug arises because the write endpoints for project management construct OPA permission options without populating the MemberIds field, causing the platform’s FilterProjectsByPermissions routine to bypass policy enforcement whenever MemberIds is empty. An attacker who holds any valid Dashboard credential—regardless of project membership—can issue crafted HTTP requests to those endpoints, supplying the target project identifier, and thereby modify configuration or delete the project. Exploitation requires only network access to the Dashboard and authenticated user credentials; no Kubernetes RBAC or additional privileges are needed. Successful exploitation grants the attacker full control over any project, resulting in the removal of all associated functions, API gateways, and events, which can disrupt production workloads, cause data loss, and breach multi‑tenant isolation. The attack is viable whenever the Dashboard is reachable and authentication is enabled but OPA checks are mis‑configured on write paths.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-m8xg-8xg9-mxhm