CVE-2026-22806
Published: 29 January 2026
Summary
CVE-2026-22806 is a critical-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for access to resources, directly addressing the CVE's scope bypass in access keys that allows unauthorized access beyond intended limits.
AC-6 enforces least privilege, limiting the impact of scope bypass by ensuring access key owners have only necessary permissions, aligning with advisory mitigations to use minimal permission automation users.
AC-2 mandates management and review of accounts including access keys, supporting mitigations like reviewing scoped keys and verifying user permissions to prevent misuse.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass on scoped access keys directly enables privilege escalation to the owner's broader permissions in the multi-tenant platform.
NVD Description
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources…
more
outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed.
Deeper analysisAI
CVE-2026-22806 affects the vCluster Platform, a Kubernetes-based solution for managing virtual clusters, multi-tenancy, and cluster sharing. In versions prior to 4.6.0, 4.5.4, 4.4.2, and 4.3.10, the vulnerability allows bypassing the limited scope of an access key, enabling access to resources outside the intended scope. This issue stems from CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability with a scope change.
Exploitation requires high privileges (PR:H), specifically possession of a scoped access key whose owner has broader resource access. An attacker with such a key can bypass scope restrictions over the network to read, modify, or disrupt resources beyond the key's limits, but only up to the owner's permissions. This enables privilege escalation within the platform's multi-tenant environment, potentially compromising virtual clusters or shared resources.
The advisory recommends upgrading to fixed versions 4.6.0, 4.5.4, 4.4.2, or 4.3.10. Additional mitigations include reviewing all scoped access keys and verifying that users with access to them have appropriate permissions. As a workaround, create automation users with minimal permissions and issue access keys only for those, limiting exposure until patching is feasible. See the GitHub advisory at https://github.com/loft-sh/loft/security/advisories/GHSA-c539-w4ch-7wxq for full details.
Details
- CWE(s)