CVE-2026-6383 - Vulnerability Details

- Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

Description

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.

Published: 2026-04-15

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in KubeVirt lies in its RBAC evaluation logic, where subresource names are improperly truncated. This flaw causes the authorization mechanism to incorrectly grant or deny permissions, allowing authenticated users with custom roles to act on subresources they should not control. Consequently, attackers could disclose sensitive data or perform unauthorized operations, and honest users may experience denied access to legitimate resources. The weakness corresponds to CWE‑863, indicating a depletion of permissions-checking controls.

Affected Systems

This issue affects Red Hat OpenShift Virtualization 4, specifically the Container Native Virtualization product version 4. No further version specifics are currently listed, so all installations within this product line are potentially impacted.

Risk and Exploitability

The CVSS score of 5.4 places the vulnerability in the medium severity range. EPSS data is not available, and the CISA KEV catalog does not list it, indicating no confirmed widespread exploitation yet. The likely exploitation scenario requires an authenticated user with a custom role that includes subresource permissions; the attacker can then make requests to subresources that are incorrectly evaluated. As there is no publicly available exploit code noted, the primary risk remains the potential for unauthorized access and denial of service caused by mis‑evaluated roles.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat OpenShift Virtualization 4	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Apply Red Hat releases that include the fix as soon as they become available
Audit and prune custom RBAC roles, ensuring they only grant necessary subresource permissions
Configure or monitor audit logs for anomalous subresource access to detect potential abuse

Generated by OpenCVE AI on April 16, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-6383
https://bugzilla.redhat.com/show_bug.cgi?id=2458741
https://nvd.nist.gov/vuln/detail/CVE-2026-6383
https://www.cve.org/CVERecord?id=CVE-2026-6383

History

Thu, 16 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6383 https://www.cve.org/CVERecord?id=CVE-2026-6383
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 15 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
Title		Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation
First Time appeared		Redhat Redhat container Native Virtualization
Weaknesses		CWE-863
CPEs		cpe:/a:redhat:container_native_virtualization:4
Vendors & Products		Redhat Redhat container Native Virtualization
References		https://access.redhat.com/security/cve/CVE-2026-6383 https://bugzilla.redhat.com/show_bug.cgi?id=2458741
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Redhat Container Native Virtualization

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-04-15T18:22:30.589Z

Updated: 2026-04-15T18:40:31.052Z

Reserved: 2026-04-15T18:03:12.839Z

Link: CVE-2026-6383

Vulnrichment

Updated: 2026-04-15T18:40:25.744Z

NVD

Status : Received

Published: 2026-04-15T19:16:38.520

Modified: 2026-04-15T19:16:38.520

Link: CVE-2026-6383

Redhat

Severity : Moderate

Publid Date: 2026-04-15T18:03:18Z

Links: CVE-2026-6383 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object