Two newly disclosed Kubernetes vulnerabilities show how limited access can escalate into broad secret theft and potential full-cluster compromise. CVE-2026-39961 affects the Aiven Operator and enables cross-namespace secret exfiltration through a confused deputy condition, breaking multi-tenancy and namespace isolation. An attacker starting from a constrained developer role could access high-value service account tokens, particularly in kube-system, and potentially obtain cluster-admin privileges. From there, they could deploy malicious DaemonSets, alter node settings, read cluster-wide data, and pivot into cloud environments through permissive IAM integrations such as AWS IAM Roles for Service Accounts.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-40924 was disclosed affecting the Tekton Pipelines HTTP Resolver. The vulnerability allows uncontrolled resource consumption that can crash the tekton-pipelines-resolvers pod via OOM conditions, disrupting pipeline execution and potentially forcing the resolver into CrashLoopBackOff until malicious resources are removed.
CVE-2026-40938 was disclosed affecting the Tekton Pipelines Git Resolver. The flaw enables argument injection leading to remote code execution in the resolver pod and possible extraction of Kubernetes Secrets across namespaces through the component's service account permissions.
A vulnerability affecting Aiven Operator was disclosed as CVE-2026-39961. The issue allows cross-namespace secret exfiltration via a confused deputy condition, potentially leading to theft of service account tokens, cluster-admin access, and full Kubernetes cluster compromise.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvereports.com
Open sourcecvereports.com
Open sourcecvereports.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.