Security Flaw in KubeVirt's Migration Proxy Exposes Virtual Machines to Attacks
CVE-2026-13325

8.5HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Virtualization 4
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-13325?

A security flaw has been identified in KubeVirt's migration proxy that poses a significant risk to virtual machine tenants. When the configuration option to disable TLS is enabled, the virt-handler binds a TCP listener to all interfaces without proper authentication, allowing attackers with access to the cluster network to connect to the listener. They can issue unfiltered libvirt RPC commands against another tenant's virtual machine, posing a risk of reading sensitive VM memory, altering its state, or even destroying the VM. Notably, the bind address of this listener is set to 0.0.0.0, making it accessible even when a dedicated migration network is in place. The API documentation misleadingly describes disabling TLS as simply removing encryption, failing to highlight that it also eliminates essential mutual authentication mechanisms.

References

https://access.redhat.com/security/cve/CVE-2026-13325

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2493378

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 25, 2026

Credit

This issue was discovered by Huzaifa Sidhpurwala (Red Hat).

CVE-2026-13325 Data

JSON