The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39961

CVE-2026-39961: Aiven Operator Information Disclosure Flaw

CVE-2026-39961 is an information disclosure vulnerability in Aiven Operator for Kubernetes that allows attackers to exfiltrate secrets from any namespace. This article covers technical details, affected versions, impact, and mitigation.

Published: April 9, 2026

CVE-2026-39961 Overview

CVE-2026-39961 is an Improper Access Control vulnerability affecting the Aiven Operator for Kubernetes. This flaw enables a developer with create permissions on ClickhouseUser Custom Resource Definitions (CRDs) in their own namespace to exfiltrate secrets from any other namespace in the cluster. The attack leverages a "confused deputy" pattern where the operator's highly privileged ServiceAccount—which has cluster-wide secret read/write access via the aiven-operator-role ClusterRole—trusts user-supplied namespace values in spec.connInfoSecretSource.namespace without proper validation.

Critical Impact

A malicious insider with limited Kubernetes RBAC permissions can steal production database credentials, API keys, and service tokens from any namespace in the cluster with a single kubectl apply command.

Affected Products

  • Aiven Operator versions 0.31.0 to 0.36.x
  • Kubernetes clusters running vulnerable Aiven Operator deployments
  • Any namespace containing secrets accessible to the Aiven Operator ServiceAccount

Discovery Timeline

  • 2026-04-09 - CVE CVE-2026-39961 published to NVD
  • 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-39961

Vulnerability Analysis

This vulnerability represents a classic "confused deputy" attack pattern in Kubernetes operators. The Aiven Operator acts as a privileged intermediary that manages Aiven services within a Kubernetes cluster. When processing ClickhouseUser CRDs, the operator reads secret data specified by the user and writes connection information to a new secret.

The fundamental flaw lies in the operator's trust of user-supplied namespace values. The spec.connInfoSecretSource.namespace field allows users to specify an arbitrary namespace from which to read secrets. Because the operator's ServiceAccount possesses cluster-wide read/write permissions on secrets (granted by the aiven-operator-role ClusterRole), it can access secrets in any namespace—not just the namespace where the CRD was created.

Additionally, no admission webhook exists to enforce namespace boundaries. The ServiceUser webhook returns nil, and critically, no ClickhouseUser webhook was implemented to validate these cross-namespace references. This means an attacker can craft a malicious ClickhouseUser CRD that references secrets in sensitive namespaces (e.g., production, kube-system, or any namespace containing privileged credentials), and the operator will dutifully read those secrets and expose them in the attacker's namespace.

Root Cause

The root cause is improper access control validation combined with overly permissive RBAC configuration. The operator accepts a user-controlled namespace field in the ConnInfoSecretSource struct without validating that the requesting resource has permission to access secrets in that namespace. The operator's ServiceAccount has cluster-wide privileges that exceed what individual users should be able to leverage through CRD manipulation.

Attack Vector

The attack exploits network-accessible Kubernetes API access. An attacker with create permissions on ClickhouseUser CRDs in their own namespace crafts a malicious CRD that specifies a victim namespace in the spec.connInfoSecretSource.namespace field. When the operator reconciles this CRD, it uses its privileged ServiceAccount to read the victim's secret and copies the sensitive data into a new secret within the attacker's namespace.

The security patch removes the namespace field entirely from the ConnInfoSecretSource struct, forcing secrets to be read only from the same namespace as the requesting resource:

go
 type ConnInfoSecretSource struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
-	// Name of the secret resource to read connection parameters from
+	// Name of the secret resource to read connection parameters from.
+	// The secret must be in the same namespace as the resource.
 	Name string `json:"name"`
-	// Namespace of the source secret. If not specified, defaults to the same namespace as the resource
-	Namespace string `json:"namespace,omitempty"`
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
 	// Key in the secret containing the password to use for authentication

Source: GitHub Commit

The corresponding controller code was also patched to enforce same-namespace access:

go
 		return "", nil
 	}
 
-	sourceNamespace := secretSource.Namespace
-	if sourceNamespace == "" {
-		sourceNamespace = resource.GetNamespace()
-	}
+	ns := resource.GetNamespace()
 
 	sourceSecret := &corev1.Secret{}
 	err := k8sClient.Get(ctx, types.NamespacedName{
 		Name:      secretSource.Name,
-		Namespace: sourceNamespace,
+		Namespace: ns,
 	}, sourceSecret)
 	if err != nil {
-		return "", fmt.Errorf("failed to read connInfoSecretSource %s/%s: %w", sourceNamespace, secretSource.Name, err)
+		return "", fmt.Errorf("failed to read connInfoSecretSource %s/%s: %w", ns, secretSource.Name, err)
 	}

Source: GitHub Commit

Detection Methods for CVE-2026-39961

Indicators of Compromise

  • ClickhouseUser CRDs containing spec.connInfoSecretSource.namespace fields pointing to namespaces other than where the CRD is deployed
  • Unusual secret access patterns in Kubernetes audit logs showing the Aiven Operator ServiceAccount reading secrets from multiple namespaces
  • New secrets appearing in unexpected namespaces containing connection information or credentials
  • Audit log entries showing ClickhouseUser CRD creation followed by cross-namespace secret reads

Detection Strategies

  • Enable and monitor Kubernetes audit logging for all secret read operations by the aiven-operator ServiceAccount
  • Implement OPA Gatekeeper or Kyverno policies to alert on or block ClickhouseUser CRDs specifying cross-namespace secret sources
  • Monitor for anomalous CRD creation patterns, especially from users who don't typically interact with ClickhouseUser resources
  • Review existing ClickhouseUser CRDs across all namespaces for suspicious connInfoSecretSource.namespace configurations

Monitoring Recommendations

  • Configure alerts for secret access events where the requesting ServiceAccount's namespace differs from the secret's namespace
  • Implement runtime security monitoring to detect secret exfiltration attempts
  • Regularly audit RBAC permissions for operators and service accounts with cluster-wide secret access
  • Monitor SentinelOne Singularity Cloud Workload Security for Kubernetes anomaly detection on operator behavior

How to Mitigate CVE-2026-39961

Immediate Actions Required

  • Upgrade Aiven Operator to version 0.37.0 or later immediately
  • Audit all existing ClickhouseUser CRDs for cross-namespace secret references before upgrading
  • Review Kubernetes audit logs for evidence of prior exploitation attempts
  • Inventory all secrets that may have been exposed through this vulnerability and rotate compromised credentials

Patch Information

The vulnerability is fixed in Aiven Operator version 0.37.0. The fix removes the namespace field from the ConnInfoSecretSource struct entirely, enforcing that secrets must reside in the same namespace as the requesting resource. See the GitHub Security Advisory GHSA-99j8-wv67-4c72 for complete details and the v0.37.0 release notes for upgrade instructions.

Workarounds

  • If immediate upgrade is not possible, implement a Kubernetes admission webhook or policy (OPA Gatekeeper/Kyverno) to reject ClickhouseUser CRDs with non-empty spec.connInfoSecretSource.namespace fields
  • Restrict RBAC permissions to prevent untrusted users from creating ClickhouseUser CRDs until the upgrade can be completed
  • Consider temporarily scaling down the Aiven Operator deployment if exploitation is suspected and upgrade cannot be performed immediately
bash
# Kyverno policy to block cross-namespace secret references (workaround)
# Apply this policy until upgrade to v0.37.0 is complete
kubectl apply -f - <<EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-aiven-cross-namespace-secrets
spec:
  validationFailureAction: Enforce
  rules:
  - name: deny-cross-namespace-conninfosecret
    match:
      resources:
        kinds:
        - ClickhouseUser
    validate:
      message: "Cross-namespace secret references are prohibited (CVE-2026-39961)"
      pattern:
        spec:
          connInfoSecretSource:
            namespace: ""
EOF

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechAiven
  • SeverityMEDIUM
  • CVSS Score6.8
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-269
  • Technical References
  • GitHub Commit Update
  • GitHub Release v0.37.0
  • GitHub Security Advisory GHSA-99j8-wv67-4c72
  • Related CVEs
  • CVE-2023-32305: Aiven PostgreSQL Privilege Escalation
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English