CVE-2026-55225 - Vulnerability Details

Description

When the Strimzi cluster operator is deployed with watchAnyNamespace=true (or a multi-namespace list), any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace (or topicOperator.watchedNamespace) to an arbitrary namespace. The cluster operator then creates a Role granting full CRUD on Secrets in the target namespace and a RoleBinding pointing to a ServiceAccount in the attacker's namespace — effectively granting cluster-admin-equivalent access via kube-system secret exfiltration. The RBAC objects created cross-namespace have their ownerReferences deliberately stripped, making the privilege grant persistent even after the Kafka CR or attacker namespace is deleted. Fixed in Strimzi 1.0.1 and 1.1.0 by adding a dedicated environment variable to explicitly enable the watched namespace feature (disabled by default).

Published: n/a

Score: 8.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows any user with namespace editor privileges to assign a Kafka cluster operator’s entityOperator.watchedNamespace to an arbitrary namespace. This causes the operator to create a Role that permits full CRUD on Secrets in the target namespace and a RoleBinding that points to the attacker's ServiceAccount. The resulting RBAC objects lack ownerReferences, so the elevated privileges persist even after the Kafka custom resource or the attacker’s namespace is deleted. The flaw results in arbitrary manipulation of Secrets, leading to possible data exfiltration and full control of the cluster.

Affected Systems

All Strimzi cluster operator installations that enable the watched‑namespace feature, including any version prior to 1.0.1 or 1.1.0 where the feature is disabled by default.

Risk and Exploitability

The CVSS score of 8.0 classifies this as a high‑severity vulnerability. While an EPSS score is not reported, the exposure is significant due to the wide‑scope impact on Secrets and the persistence of the malicious RBAC objects. The feature is not listed in the CISA KEV catalog, but the potential for severe compromise advises prompt remediation.

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Strimzi cluster operator to version 1.0.1 or newer (or 1.1.0 or newer if applicable).
Ensure the watched‑namespace feature remains disabled unless explicitly required; enable it only with a dedicated environment variable.
Limit namespace editor permissions, granting such privileges only to trusted administrators and audit any role bindings that grant Secrets access to prevent accidental exposure.

Generated by OpenCVE AI on June 18, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-mw9r-p8xp-wx96	Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-55225
https://www.cve.org/CVERecord?id=CVE-2026-55225

History

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		When the Strimzi cluster operator is deployed with watchAnyNamespace=true (or a multi-namespace list), any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace (or topicOperator.watchedNamespace) to an arbitrary namespace. The cluster operator then creates a Role granting full CRUD on Secrets in the target namespace and a RoleBinding pointing to a ServiceAccount in the attacker's namespace — effectively granting cluster-admin-equivalent access via kube-system secret exfiltration. The RBAC objects created cross-namespace have their ownerReferences deliberately stripped, making the privilege grant persistent even after the Kafka CR or attacker namespace is deleted. Fixed in Strimzi 1.0.1 and 1.1.0 by adding a dedicated environment variable to explicitly enable the watched namespace feature (disabled by default).
Title		strimzi-cluster-operator: Cross-namespace privilege escalation via Kafka.spec.entityOperator.watchedNamespace in Strimzi
Weaknesses		CWE-250
References		https://nvd.nist.gov/vuln/detail/CVE-2026-55225 https://www.cve.org/CVERecord?id=CVE-2026-55225
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.0, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}` threat_severity `Important`

Subscriptions

No data.

MITRE

No data.

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Important

Publid Date: 2026-06-17T00:00:00Z

Links: CVE-2026-55225 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-18T19:45:16Z

Weaknesses

CWE-250
Execution with Unnecessary Privileges

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object