Description
Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database credentials, API keys, service tokens — with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace. The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary — the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists. This vulnerability is fixed in 0.37.0.
Published: 2026-04-09
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Secret exfiltration across namespaces
Action: Immediate Patch
AI Analysis

Impact

The Aiven Operator in versions 0.31.0 through 0.36.x allows a user with create permission on ClickhouseUser objects in their own namespace to read secrets from any other namespace. When a ClickhouseUser is applied, the operator interprets the spec.connInfoSecretSource.namespace field without validation and copies the referenced secret into a new secret in the attacker’s namespace. This produces unauthorized exposure of production database credentials, API keys, and service tokens. The weakness is a confused deputy scenario where the operator’s ServiceAccount holds cluster‑wide secret read/write permissions, allowing the user to exploit the operator’s trust of user‑supplied namespace values. The impact is confidentiality violation, potentially leading to compromised services and data leakage.

Affected Systems

This flaw affects the Aiven Operator, a Kubernetes operator for provisioning Aiven services. Vulnerable releases are from 0.31.0 up to, but not including, 0.37.0. Any deployment running these versions is susceptible to the exploit if a user can create ClickhouseUser resources in their namespace.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.8, indicating moderate severity. EPSS data is unavailable, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be local within the cluster: an attacker must have permission to create ClickhouseUser resources in their own namespace and the operator will then read secrets from other namespaces due to its cluster‑wide role. The operator’s lack of admission validation and the absence of a dedicated webhook amplify the exploitation path. All these factors combine to present a clear risk of unauthorized secret disclosure to any component that can install a vulnerable operator version.

Generated by OpenCVE AI on April 9, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Aiven Operator to version 0.37.0 or later, which removes the unvalidated namespace reference.
  • If upgrading is not immediately possible, limit the operator’s ServiceAccount permissions so it does not have cluster‑wide secret read/write rights.
  • Ensure that ClickhouseUser specifications do not reference namespaces outside the current one and verify that no custom webhooks exist to enforce this boundary.

Generated by OpenCVE AI on April 9, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-99j8-wv67-4c72 Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
History

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Aiven
Aiven aiven-operator
Vendors & Products Aiven
Aiven aiven-operator

Thu, 09 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database credentials, API keys, service tokens — with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and writes the password into a new secret in the attacker's namespace. The operator acts as a confused deputy: its ServiceAccount has cluster-wide secret read/write (aiven-operator-role ClusterRole), and it trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without validation. No admission webhook enforces this boundary — the ServiceUser webhook returns nil, and no ClickhouseUser webhook exists. This vulnerability is fixed in 0.37.0.
Title Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Weaknesses CWE-269
CWE-441
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Aiven Aiven-operator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:08:22.087Z

Reserved: 2026-04-07T22:40:33.822Z

Link: CVE-2026-39961

cve-icon Vulnrichment

Updated: 2026-04-10T14:08:16.792Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-09T18:17:02.053

Modified: 2026-04-13T15:02:27.760

Link: CVE-2026-39961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:58Z

Weaknesses