CVE-2025-14459
Published: 26 January 2026
Summary
CVE-2025-14459 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-14459 is a vulnerability in the KubeVirt Containerized Data Importer (CDI), a component used for managing data imports in KubeVirt environments on Kubernetes. The flaw enables a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces through the DataImportCron PVC source mechanism, leading to unauthorized data access. It has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key).
An attacker with low privileges (PR:L) in a KubeVirt CDI deployment can exploit this over the network with low complexity and no user interaction. By leveraging the flawed DataImportCron mechanism, they can clone PVCs from namespaces they lack access to, achieving high-impact confidentiality violations through unauthorized data access across scopes, with limited integrity impact and no availability disruption.
Red Hat has addressed this issue in security errata RHSA-2026:0950, with detailed advisories available on their CVE page (https://access.redhat.com/security/cve/CVE-2025-14459) and Bugzilla tracker (https://bugzilla.redhat.com/show_bug.cgi?id=2420938). Security practitioners should apply the patches promptly and review access controls on CDI resources to mitigate risks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206337
Vulnerability details
A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in CDI DataImportCron directly enables cloning unauthorized PVCs, facilitating data collection from restricted volumes/namespaces (T1005/T1530).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the CDI authorization bypass flaw by requiring timely identification, reporting, and application of the specific security patch (RHSA-2026:0950).
Enforces approved authorizations on CDI DataImportCron PVC source operations to block unauthorized cross-namespace cloning of PersistentVolumeClaims.
Limits low-privileged user access to CDI resources, reducing the ability to exploit the DataImportCron mechanism for unauthorized PVC cloning.