Data Exposure Vulnerability in KubeVirt by Red Hat
CVE-2025-14459

8.5HIGH

Key Information:

Vendor

Red Hat
Status
Rhel-9-cnv-4.19
Red Hat Openshift Virtualization 4
Vendor
CVE Published:
26 January 2026

What is CVE-2025-14459?

A security flaw has been identified in the KubeVirt Containerized Data Importer (CDI), enabling users to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces. This vulnerability presents a risk of unauthorized access to sensitive data through the DataImportCron PVC source mechanism, potentially compromising data integrity and confidentiality within cloud-native environments.

Affected Version(s)

RHEL-9-CNV-4.19 v4.19.17-5

RHEL-9-CNV-4.19 v4.19.17-5

RHEL-9-CNV-4.19 v4.19.17-5

References

https://access.redhat.com/errata/RHSA-2026:0950
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-14459
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2420938
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.