Description
When deploying only the Topic Operator or only the User Operator via the Kafka custom resource, the Entity Operator's ServiceAccount retains RBAC rights for both operators rather than scoping permissions to the one actually deployed. This allows the ServiceAccount to access KafkaUser custom resources and Secrets even when the User Operator is not deployed, or access KafkaTopic custom resources when the Topic Operator is not deployed, violating the principle of least privilege. There is no workaround for this issue. Fixed in Strimzi 1.0.1 and 1.1.0.
Published: n/a
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When a cluster is configured to run only a single operator (either the Topic Operator or the User Operator), the Strimzi Cluster Operator still assigns the Entity Operator ServiceAccount full RBAC rights for both operators. This misconfiguration allows the ServiceAccount to read KafkaUser custom resources and associated Secrets even when the User Operator is absent, or to read KafkaTopic resources when only the Topic Operator is present, creating an unauthorized disclosure of sensitive information stored in KafkaSecrets. The weakness is an improper permission assignment (CWE-272) that violates the principle of least privilege.

Affected Systems

Affected product is the Strimzi Cluster Operator used in Kubernetes environments. Versions prior to Strimzi 1.0.1 and 1.1.0 are impacted; the bug is fixed in those releases. Any deployment that uses the default Entity Operator ServiceAccount while only one of the Topic or User Operators is enabled will be vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS of 5.4, indicating moderate complexity. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting no widespread exploitation has been observed yet. The likely attack vector involves a pod or process within the same namespace that can acquire the Entity Operator ServiceAccount token, allowing it to read Kafka secrets and custom resources. An attacker with such access can extract sensitive configuration data, potentially compromising downstream applications.

Generated by OpenCVE AI on June 19, 2026 at 13:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Strimzi Cluster Operator to at least version 1.0.1 or 1.1.0 to apply the fix that scopes the Entity Operator ServiceAccount to the operators actually deployed.
  • After upgrading, review the ClusterRole and RoleBinding objects that bind the Entity Operator ServiceAccount, ensuring they grant permissions only to the operators that are enabled and removing bindings related to the disabled operator.
  • Restart or redeploy the Entity Operator to ensure it obtains a new ServiceAccount token that reflects the updated RBAC rules.

Generated by OpenCVE AI on June 19, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r427-j2h7-wv3m Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Strimzi
Strimzi kafka-operator
Vendors & Products Strimzi
Strimzi kafka-operator

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description When deploying only the Topic Operator or only the User Operator via the Kafka custom resource, the Entity Operator's ServiceAccount retains RBAC rights for both operators rather than scoping permissions to the one actually deployed. This allows the ServiceAccount to access KafkaUser custom resources and Secrets even when the User Operator is not deployed, or access KafkaTopic custom resources when the Topic Operator is not deployed, violating the principle of least privilege. There is no workaround for this issue. Fixed in Strimzi 1.0.1 and 1.1.0.
Title strimzi-cluster-operator: Unrestricted access to all Secrets within namespace watched by the Topic operator in Strimzi
Weaknesses CWE-272
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

threat_severity

Moderate


Subscriptions

Strimzi Kafka-operator
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-17T00:00:00Z

Links: CVE-2026-55226 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:04:06Z

Weaknesses
  • CWE-272

    Least Privilege Violation