Description
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Azure Kubernetes Service allows an authorized attacker to execute code locally.
Published: 2026-06-09
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper limitation of a pathname to a restricted directory, known as path traversal (CWE-22). An authorized attacker can supply a crafted path that bypasses directory restrictions, enabling local execution of arbitrary code on the Azure Kubernetes Service host. This flaw directly leads to remote code execution, compromising the integrity and confidentiality of the cluster and potentially all workloads it hosts.

Affected Systems

The flaw affects Microsoft Azure Kubernetes Service deployments. No specific version information is disclosed in the advisory, so all current AKS clusters may be vulnerable until Microsoft releases a patch.

Risk and Exploitability

The reference CVSS score of 8.8 classifies this as a high severity vulnerability. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog, suggesting limited prior exploitation. However, the flaw requires an attacker to already possess authorized access to the AKS environment, so the attack vector is internal or compromised account. Attackers could trigger the path traversal to move to privileged directories and execute code, potentially leading to full cluster compromise.

Generated by OpenCVE AI on June 9, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft update that addresses CVE-2026-32193 to the Azure Kubernetes Service cluster.
  • Validate that the cluster is running the patched version by consulting the Microsoft update guide.
  • Enforce least‑privilege RBAC and review role assignments to limit the privileges of accounts that can interact with the AKS API.

Generated by OpenCVE AI on June 9, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Azure Kubernetes Service allows an authorized attacker to execute code locally.
Title Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Kubernetes Service
Weaknesses CWE-22
CPEs cpe:2.3:a:microsoft:azure_kubernetes_service:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Kubernetes Service
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Kubernetes Service
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:41.108Z

Reserved: 2026-03-11T00:26:53.427Z

Link: CVE-2026-32193

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:03.600

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-32193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T18:30:11Z

Weaknesses