{}

{}

{}

{"bugzilla": {"description": "strimzi-cluster-operator: Cross-namespace privilege escalation via Kafka.spec.entityOperator.watchedNamespace in Strimzi", "id": "2490275", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490275"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-250", "details": ["When the Strimzi cluster operator is deployed with watchAnyNamespace=true (or a multi-namespace list), any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace (or topicOperator.watchedNamespace) to an arbitrary namespace. The cluster operator then creates a Role granting full CRUD on Secrets in the target namespace and a RoleBinding pointing to a ServiceAccount in the attacker's namespace \u2014 effectively granting cluster-admin-equivalent access via kube-system secret exfiltration. The RBAC objects created cross-namespace have their ownerReferences deliberately stripped, making the privilege grant persistent even after the Kafka CR or attacker namespace is deleted. Fixed in Strimzi 1.0.1 and 1.1.0 by adding a dedicated environment variable to explicitly enable the watched namespace feature (disabled by default)."], "name": "CVE-2026-55225", "package_state": [{"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "cluster-operator", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "cluster-operator", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-06-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-55225\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-55225"], "threat_severity": "Important"}

{}