Description
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed.
Published: 2026-01-29
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized resource access due to scope bypass in access keys
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the handling of access keys in vCluster Platform. When a key is created with a limited scope, the scope can be bypassed, allowing the holder to interact with resources beyond the intended restrictions. Although the attacker remains bounded by the permissions that the key owner would normally have, the bypass effectively removes the intended scope guard, leading to unauthorized data or resource exposure. This represents a critical access control weakness (CWE‑863) that can compromise the isolation guarantees of virtual clusters.

Affected Systems

Loft‑sh offers the vCluster Platform, which is affected in all releases prior to 4.6.0, 4.5.4, 4.4.2, and 4.3.10. Systems running those versions are vulnerable; upgrading to the mentioned fixed versions removes the defect.

Risk and Exploitability

The CVSS score is 9.1, indicating high severity. The EPSS score is below 1 %, meaning the probability of exploitation in the wild is currently low, and the issue is not recorded in CISA’s KEV catalog. Nonetheless, because the flaw involves an access key, an attacker who can create or obtain a key with limited scope could exploit the vulnerability by requesting operations that fall outside that scope, provided those operations would otherwise be permitted by the key owner’s permissions. The attack path leverages the existing key management infrastructure, so no additional foothold is required beyond possessing a legitimate access key. Organizations should treat this as a high‑risk exposure pending patch.

Generated by OpenCVE AI on April 18, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed version of vCluster Platform (4.6.0 or later, or 4.5.4, 4.4.2, or 4.3.10, depending on your environment).
  • Review and revoke any scoped access keys that may have been created before the fix, and generate new keys with properly scoped permissions.
  • If upgrading cannot be performed immediately, create automation users with the minimum permissions necessary for your automation tasks, issue access keys to those users, and avoid using keys that were created with arbitrary scopes.
  • Ensure that user roles assigned to automation users are restricted to the specific resources they need, limiting potential impact of any future key vulnerabilities.

Generated by OpenCVE AI on April 18, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Loft-sh
Loft-sh loft
Vendors & Products Loft-sh
Loft-sh loft

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed.
Title vCluster Platform's Access Keys Allows Access Beyond Scope
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Loft-sh Loft
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T21:19:58.653Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22806

cve-icon Vulnrichment

Updated: 2026-01-29T21:19:54.796Z

cve-icon NVD

Status : Deferred

Published: 2026-01-29T20:16:10.277

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses