Elevated Permissions Vulnerability in Pinniped Supervisor for Kubernetes Clusters
CVE-2026-59269

3.8LOW

Key Information:

Vendor

Vmware

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59269?

A flaw in the Pinniped Supervisor allows an attacker to gain elevated permissions in Kubernetes clusters under specific conditions. This issue occurs if the Pinniped Supervisor server uses a configured ActiveDirectoryIdentityProvider resource with an empty groupName attribute and if certain parameters allow group entries to be altered. If the attacker knows the password of a legitimate Active Directory user and can modify group entries, they could potentially be included in the group search results, leading to unauthorized access within the cluster.

Affected Version(s)

Pinniped 0.11.0 <= 0.46.0

References

CVSS V3.1

Score:
3.8
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.