Network Vulnerability in KubeVirt's Multus Configuration
CVE-2026-13434

4.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Virtualization 4
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-13434?

A flaw exists in KubeVirt's network annotation generator that allows a tenant with edit permissions to inject arbitrary JSON-formatted data into network configurations. This vulnerability arises when the networkName input is directly written into the launcher pod's annotations without proper validation or sanitization. If the ExternalNetResourceInjection feature gate is enabled, it bypasses normal checks, permitting cross-namespace network access. As a result, attackers could perform IP/MAC impersonation and engage in unauthorized cross-tenant networking operations.

References

https://access.redhat.com/security/cve/CVE-2026-13434

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2493576

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 26, 2026

Credit

This issue was discovered by Huzaifa Sidhpurwala (Red Hat).

CVE-2026-13434 Data

JSON