CVE-2026-6383 MEDIUM

CVE-2026-6383: Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

Vendor Red Hat

Product Red Hat OpenShift Virtualization 4

Weakness CWE-863 · Incorrect authorization

Published April 15, 2026

Last update April 15, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.

Key dates

02Disclosure timeline

April 15, 2026 CVE published

April 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-6383

Related vulnerabilities

Identifiers

CVE CVE-2026-6383

CWE CWE-863

CVSS 5.4 / MEDIUM

Affected versions