Cyber Resilience

CVE-2025-14459

HighUpdated

Published: 26 January 2026

Published
26 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0034 25.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14459 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14459 is a vulnerability in the KubeVirt Containerized Data Importer (CDI), a component used for managing data imports in KubeVirt environments on Kubernetes. The flaw enables a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces through the DataImportCron PVC source mechanism, leading to unauthorized data access. It has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key).

An attacker with low privileges (PR:L) in a KubeVirt CDI deployment can exploit this over the network with low complexity and no user interaction. By leveraging the flawed DataImportCron mechanism, they can clone PVCs from namespaces they lack access to, achieving high-impact confidentiality violations through unauthorized data access across scopes, with limited integrity impact and no availability disruption.

Red Hat has addressed this issue in security errata RHSA-2026:0950, with detailed advisories available on their CVE page (https://access.redhat.com/security/cve/CVE-2025-14459) and Bugzilla tracker (https://bugzilla.redhat.com/show_bug.cgi?id=2420938). Security practitioners should apply the patches promptly and review access controls on CDI resources to mitigate risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1530 Data from Cloud Storage Collection
Adversaries may access data from cloud storage.
Why these techniques?

Auth bypass in CDI DataImportCron directly enables cloning unauthorized PVCs, facilitating data collection from restricted volumes/namespaces (T1005/T1530).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14974Shared CWE-639
CVE-2026-24773Shared CWE-639
CVE-2026-22589Shared CWE-639
CVE-2025-45968Shared CWE-639
CVE-2026-22235Shared CWE-639
CVE-2024-50687Shared CWE-639
CVE-2025-26977Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2026-2554Shared CWE-639
CVE-2026-7491Shared CWE-639

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the CDI authorization bypass flaw by requiring timely identification, reporting, and application of the specific security patch (RHSA-2026:0950).

prevent

Enforces approved authorizations on CDI DataImportCron PVC source operations to block unauthorized cross-namespace cloning of PersistentVolumeClaims.

prevent

Limits low-privileged user access to CDI resources, reducing the ability to exploit the DataImportCron mechanism for unauthorized PVC cloning.

References