, A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then

please contact security@kubernetes.io Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/133471 Acknowledgements

, A security issue was discovered in Kubernetes where an unauthorized user may be able to ssh/RDP/WINRM to a Windows node VM which uses a VM image built with the Kubernetes Image Builder

Hat Product Security < secalert@redhat.com> wrote: > Hello! > > INC3695208 ([Security Advisory] CVE-2025-4563: Nodes can bypass dynamic > resource allocation

The Kubernetes Security Response Committee received a report that this issue could be abused in Kubernetes to delete arbitrary directories on a Node with root permissions by a local

please contact security@kubernetes.io Additional Details See these GitHub issues for more details: CVE-2025-24513: https://github.com/kubernetes/kubernetes/issues/131005

, A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The

, A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node

, A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary

, A security vulnerability was discovered in Kubernetes that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond

, A security issue was discovered in Kubernetes where an unauthorized user may be able to ssh to a node VM which uses a VM image built with the Kubernetes Image Builder project ( https:

, A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation

, A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able

> A security issue was discovered in azure-file-csi-driver where an actor > with access to the driver logs could observe service account tokens. These > tokens could then

, A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes

Details A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object (in the `networking.

Details A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use directives to bypass the sanitization of the `spec.rules[]

Details A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/permanent-redirect annotation on an Ingress object (in the `networking.k8s

, A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those

, A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are

, A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are

Details A security issue was reported in kOps with the GCP Provider running in Gossip Mode , where Node service account credentials could be used by a container running in the cluster

, A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin

, A security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers

, A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. This issue has been rated LOW (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I

, A security issue was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially

address two security issues in minikube. We recommend all to upgrade minikube to the latest version and delete any Kubernetes clusters created with an affected version. Minikube

, A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted

, A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different

, A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true