CVE-2026-53487

MEDIUMPre-NVD 4.34.3
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 4.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
4.3
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 4.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Kite has an authenticated cluster RBAC bypass in /api/v1/overview

Summary

Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware() and GetOverview only checks len(user.Roles) > 0, so it returns aggregate Kubernetes inventory and capacity data from unauthorized clusters.

The issue is present on current main commit 38c9bb9d4b746c0d2a8252f3c35cdfa07ab01c21 and latest release v0.12.2 at commit 0aae35abb2d6a8adf623fe60349261aa48753ccc.

Impact

A low-privileged user who only has access to one cluster can set x-cluster-name to another configured cluster and retrieve aggregate inventory and resource sizing data for that cluster. The response includes total node, pod, namespace, service, CPU, and memory values. This bypasses the cluster membership boundary used elsewhere in Kite.

The validated impact is confidentiality only. I did not prove Kubernetes mutation, pod names, secret values, kubeconfig contents, or bearer token exposure through this endpoint.

Technical details

routes.go registers /api/v1/overview before the global RBAC middleware is applied:

  • routes.go:131-133: /api/v1 gets RequireAuth() and ClusterMiddleware(cm).
  • routes.go:135: /api/v1/overview is registered.
  • routes.go:171: api.Use(middleware.RBACMiddleware()) is applied only after overview and several other routes are registered.

pkg/middleware/cluster.go:21-40 accepts the target cluster name from x-cluster-name, query, or cookie and injects the matching ClientSet without checking whether the user can access that cluster.

pkg/system/handler.go:47-52 retrieves the selected cluster and user, but only rejects users with zero roles:

cs := c.MustGet("cluster").(*cluster.ClientSet)
user := c.MustGet("user").(model.User)
if len(user.Roles) == 0 {
    c.JSON(http.StatusForbidden, gin.H{"error": "Access denied"})
    return
}

It then lists nodes, pods, namespaces, and services for the selected cluster at pkg/system/handler.go:63-137 and returns aggregate data at pkg/system/handler.go:147-169.

The intended cluster boundary exists elsewhere. pkg/cluster/cluster_handler.go:19-47 filters /api/v1/clusters with rbac.CanAccessCluster(user, name), and pkg/rbac/rbac.go:32-40 implements that cluster check. The vulnerable overview path skips the same check.

Reproduction

  • Configure Kite with at least two clusters, for example dev-cluster and prod-cluster.
  • Create a user with a role that allows only dev-cluster and does not match prod-cluster.
  • Authenticate as that user.
  • Send GET /api/v1/overview with header x-cluster-name: prod-cluster.
  • Observe that the response includes aggregate inventory and capacity data for prod-cluster instead of returning 403.

I also validated this locally with a Go proof test. The test constructs a fake prod-cluster containing one node, namespace, service, and pod. The user has a role limited to dev-cluster and dev-ns only. Before calling the handler, both controls return false:

  • rbac.CanAccess(user, "pods", "get", "prod-cluster", "_all")
  • rbac.CanAccessCluster(user, "prod-cluster")

The direct handler call then succeeds and returns the unauthorized production cluster aggregate data.

Command run:

cd /home/unkn0wn/security_audit/kite
go test ./pkg/system -run TestOverviewAllowsUserWithoutTargetClusterRBAC -v

Key output:

=== RUN   TestOverviewAllowsUserWithoutTargetClusterRBAC
    overview_rbac_poc_test.go:74: unauthorized overview response: {"totalNodes":1,"readyNodes":0,"totalPods":1,"runningPods":0,"totalNamespaces":1,"totalServices":1,"prometheusEnabled":false,"resource":{"cpu":{"allocatable":0,"requested":0,"limited":0},"memory":{"allocatable":0,"requested":0,"limited":0}}}
--- PASS: TestOverviewAllowsUserWithoutTargetClusterRBAC (0.49s)
PASS
ok  	github.com/zxh326/kite/pkg/system	0.711s

Suggested remediation

Add an explicit cluster and resource authorization check before any overview data is queried. At minimum, reject users without rbac.CanAccessCluster(user, cs.Name). A stricter fix should require the same resource permissions used by the AI get_cluster_overview tool:

  • get nodes at cluster scope
  • get pods across all namespaces
  • get namespaces at cluster scope
  • get services across all namespaces

Also consider moving every route that lacks its own complete authorization below api.Use(middleware.RBACMiddleware()), or adding per-handler authorization tests for all pre-RBAC routes.

CVSS v3
4.3
EG Score
4.3(low)
EPSS
KEV
Not listed

Published

July 7, 2026

Last Modified

July 7, 2026

Vendor Advisories for CVE-2026-53487(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 9× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 19:53 UTCEG score recompute
  2. 2026-07-14 20:26 UTCEG score recompute
  3. 2026-07-13 21:00 UTCEG score recompute
  4. 2026-07-12 21:33 UTCEG score recompute
  5. 2026-07-11 22:06 UTCEG score recompute
  6. 2026-07-10 22:39 UTCEG score recompute
  7. 2026-07-09 23:07 UTCEG score recompute
  8. 2026-07-08 23:40 UTCEG score recompute
  9. 2026-07-08 00:12 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-53487?
CVE-2026-53487 is a medium vulnerability published on July 7, 2026. Kite has an authenticated cluster RBAC bypass in /api/v1/overview Summary Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before…
When was CVE-2026-53487 disclosed?
CVE-2026-53487 was first published in the National Vulnerability Database on July 7, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-53487?
CVE-2026-53487 has a CVSS v4.0 base score of 4.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-53487?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53487, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53487

Explore →

Is Your Infrastructure Affected by CVE-2026-53487?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.