Detections
Analytics

SCA: security update for github.com/kubewarden/kubewarden-controller (GHSA-wqcw-g35j-j578)

medium Tenable Cloud Security Plugin ID 441194

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or
 AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the
 can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enumerate RBAC
 permissions of any user or service account across the cluster. can_i does not perform that check to
 enforce the context-aware allow-list and forwards the request directly to the callback handler, which
 executes a real SubjectAccessReview using policy-server privileges. This creates a policy-level
 authorization gap: can_i is effectively usable even when the policy has no context-aware resource grant.
 This is an information disclosure / reconnaissance issue, and not direct workload data exfiltration. The
 attacker learns permission information, such as whether specific service accounts can "get secrets",
 "create pods", or "bind clusterroles" in chosen namespaces. This vulnerability is fixed in .
 (CVE-2026-42541)

Solution

Update the github.com/kubewarden/kubewarden-controller library and its related packages to version 1.35.0 or later.

See Also

https://github.com/advisories/GHSA-wqcw-g35j-j578

Plugin Details

Severity: Medium

ID: 441194

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 5/6/2026

Updated: 6/29/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.4

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2026-42541

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/5/2026

Vulnerability Publication Date: 5/5/2026

Reference Information

CVE: CVE-2026-42541

cwe: CWE-862