Path Traversal Vulnerability in KubeVirt's VMExport Component
CVE-2026-9804

7.7HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Virtualization 4
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-9804?

A security flaw exists in the KubeVirt 'virt-exportserver' component that allows an attacker with specific namespace-level access to exploit a path traversal vulnerability. By creating a symbolic link within the exported filesystem Persistent Volume Claim (PVC) that points to locations outside its designated mount root, an attacker can gain unauthorized access to arbitrary files within the exporter pod's filesystem. This could lead to the disclosure of sensitive information, potentially compromising system integrity and confidentiality.

References

https://access.redhat.com/security/cve/CVE-2026-9804

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2482487

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 28, 2026

Credit

Red Hat would like to thank Thai Son Dinh, GitHub: @sondt99 (VinSOC) for reporting this issue.

CVE-2026-9804 Data

JSON