EXECUTIVE SUMMARY:
CVE-2026-55225 with a CVSS score of 8.0 is a privilege‑escalation flaw in the Strimzi Kafka operator for Kubernetes that affects the maven/io.strimzi:strimzi package version 1.0.0 and earlier. The vulnerability arises because the Cluster Operator automatically creates a Role granting full CRUD access to Secrets in any namespace specified in the `watchedNamespace` field of the Topic or User operator configuration, and then binds that Role to the entity‑operator ServiceAccount. An attacker who can submit a malicious Kafka custom resource in their own namespace can set `watchedNamespace` to a target namespace, causing the operator to generate the overly permissive Role and RoleBinding; the attacker can then request a token for the ServiceAccount and read or modify Secrets in the target namespace. Exploitation requires only namespace‑level access to create the custom resource and does not need cluster‑admin privileges, provided the Cluster Operator already has permission to manage the target namespace via existing RoleBindings. Successful abuse enables the adversary to steal credentials, inject configuration data, or disrupt services, leading to data breaches, unauthorized service manipulation, and potential compliance violations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55225 with a CVSS score of 8.0 is a privilege‑escalation flaw in the Strimzi Kafka operator for Kubernetes that affects the maven/io.strimzi:strimzi package version 1.0.0 and earlier. The vulnerability arises because the Cluster Operator automatically creates a Role granting full CRUD access to Secrets in any namespace specified in the `watchedNamespace` field of the Topic or User operator configuration, and then binds that Role to the entity‑operator ServiceAccount. An attacker who can submit a malicious Kafka custom resource in their own namespace can set `watchedNamespace` to a target namespace, causing the operator to generate the overly permissive Role and RoleBinding; the attacker can then request a token for the ServiceAccount and read or modify Secrets in the target namespace. Exploitation requires only namespace‑level access to create the custom resource and does not need cluster‑admin privileges, provided the Cluster Operator already has permission to manage the target namespace via existing RoleBindings. Successful abuse enables the adversary to steal credentials, inject configuration data, or disrupt services, leading to data breaches, unauthorized service manipulation, and potential compliance violations.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-mw9r-p8xp-wx96