Zero Day MonitorZDM

← Back to list

5.4

CVE-2026-6383EXPLOITED

red hat · red hat openshift virtualization

Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

Description

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.

Affected Products

Vendor	Product	Versions
red hat	red hat openshift virtualization	go/kubevirt.io/kubevirt: <= 1.8.1

References

https://access.redhat.com/security/cve/CVE-2026-6383(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2458741(issue-tracking, x_refsource_REDHAT)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-6383 | Red Hat OpenShift Virtualization 4 Role-Based Access Control authorization

→ No new info (linked only)

CVSS 3.15.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-863

PublishedApr 15, 2026

Last enriched5d agov2

Tags

CVE-2026-6383

Trending Score19

Source articles1

Independent1

Info Completeness7/14

Missing: versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple Vulnerabilities in Red Hat Hardened Images RPMs (jq and pyOpenSSL)

NONECVE-2026-0966

Libssh: buffer underflow in ssh_get_hexa() on invalid input

NONECVE-2026-40915

Gimp: gimp: heap buffer overflow due to integer overflow in fits image loader

NONECVE-2026-4424

Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing

MEDIUMCVE-2026-37980

Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026

Actively Exploited

Apr 15, 2026

Updated: severity, activelyExploited, tags

Apr 16, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated severity to CRITICAL, marked as actively exploited, and added CVE-2026-6383 as a new tag.

severityactivelyExploitedtags

via VulDB

v15d ago

Initial creation