VDB

CVE-2026-9804

CVE-2026-9804 PUBLISHED CVSS 7.7 HIGH

Reported by redhat · Published May 28, 2026

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data.

Risk Scores

CVSS 3.1
7.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected Products

VendorProductVersions
Red HatRed Hat Container Native Virtualization 4.171781757410
Red HatRed Hat Container Native Virtualization 4.181781928221
Red HatRed Hat Container Native Virtualization 4.191781590993
Red HatRed Hat Container Native Virtualization 4.201781838712
Red HatRed Hat Container Native Virtualization 4.211782012918
Red HatRed Hat OpenShift Virtualization 4
Red HatRed Hat Container Native Virtualization 4.181781928221, 1781928221, 1781928221
Red HatRed Hat OpenShift Virtualization 4
Red HatRed Hat OpenShift Virtualization 4
Red HatRed Hat OpenShift Virtualization 4
Red HatRed Hat Container Native Virtualization 4.20
kubevirt.iokubevirt0
Red HatRed Hat Container Native Virtualization 4.171781757410, 1781757410, 1781757410
Red HatRed Hat Container Native Virtualization 4.201781838712, 1781838712, 1781838712
Red HatRed Hat Container Native Virtualization 4.211782012918, 1782012918, 1782012918
Red HatRed Hat Container Native Virtualization 4.191781590993, 1781590993, 1781590993
Red HatRed Hat Container Native Virtualization 4.21
Red HatRed Hat Container Native Virtualization 4.18
Red HatRed Hat Container Native Virtualization 4.19
Red HatRed Hat Container Native Virtualization 4.17

Timeline

  • May 28, 2026 CVE Published
  • May 28, 2026 EPSS Score
  • May 29, 2026 EPSS Score
  • May 30, 2026 EPSS Score
  • May 30, 2026 Coalition ESS Score
  • May 31, 2026 EPSS Score
  • Jun 1, 2026 EPSS Score
  • Jun 2, 2026 Security Advisory
  • Jun 5, 2026 EPSS Score
  • Jun 22, 2026 CVE Updated
  • Jun 23, 2026 Distribution Patch
  • Jun 23, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›