Threat Advisory

Radius Controller Vulnerability Enables Resource Deletion

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53999 with a CVSS score of 7.7 is a configuration-validation issue in the Radius Kubernetes controller that can cause it to issue a `DELETE` for the container resource referenced by a tampered `radapp .io/status` annotation on a Deployment, affecting versions of the radius package less than 0.58.0. This vulnerability allows an attacker to exploit the controller by injecting a malicious annotation into a Deployment, which is then deserialized and used to delete a container resource without proper validation, requiring access to create or modify Deployments and leveraging the controller's high-privilege credentials to send deletion requests to the Radius API. If successfully exploited, an attacker gains the capability to delete container resources, potentially affecting other teams' resources in multi-tenant installations, resulting in business impact such as disruption of services and potential data loss, with prerequisites for exploitation including the ability to create or modify Deployments and the presence of a multi-tenant installation topology.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53999 with a CVSS score of 7.7 is a configuration-validation issue in the Radius Kubernetes controller that can cause it to issue a `DELETE` for the container resource referenced by a tampered `radapp .io/status` annotation on a Deployment, affecting versions of the radius package less than 0.58.0. This vulnerability allows an attacker to exploit the controller by injecting a malicious annotation into a Deployment, which is then deserialized and used to delete a container resource without proper validation, requiring access to create or modify Deployments and leveraging the controller's high-privilege credentials to send deletion requests to the Radius API. If successfully exploited, an attacker gains the capability to delete container resources, potentially affecting other teams' resources in multi-tenant installations, resulting in business impact such as disruption of services and potential data loss, with prerequisites for exploitation including the ability to create or modify Deployments and the presence of a multi-tenant installation topology.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update Radius to version 0.58.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-fp5j-4fj2-4jvq

[/emaillocker]
crossmenu