Exfiltration Vulnerability in Aiven Operator for Kubernetes
CVE-2026-39961

6.8MEDIUM

Key Information:

Vendor

Aiven

Status
Aiven-operator
Vendor
CVE Published:
9 April 2026

What is CVE-2026-39961?

Aiven Operator, which allows provisioning and management of Aiven services from Kubernetes, has a vulnerability that permits users with create permissions on ClickhouseUser Custom Resource Definitions (CRDs) to access and extract sensitive information, such as production database credentials, API keys, and service tokens, from other namespaces. This exploitation occurs due to a lack of validation for user-supplied namespace values and insufficient admission webhook enforcement. The operator can read secrets using its cluster-wide access rights and transfer them to the attacking user's namespace, posing a severe risk to the integrity and confidentiality of sensitive data. The vulnerability was addressed in version 0.37.0.

Affected Version(s)

aiven-operator < 0.37.0

References

https://github.com/aiven/aiven-operator/security/advisori...
x_refsource_CONFIRM
https://github.com/aiven/aiven-operator/commit/032c9ba632...
x_refsource_MISC
https://github.com/aiven/aiven-operator/releases/tag/v0.37.0
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.