External risk intelligence

vCluster Platform could allow an internal attacker to create an administrative account.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-42457

An internal attacker using the vCluster Platform can inject harmful code into templates to take over an administrator’s session. This could allow them to create unauthorized administrative accounts and gain full, unrestricted control over the platform.

2Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-42457

The vulnerability resides in an internal Kubernetes management platform. Such platforms are typically deployed within private corporate networks or behind VPNs to manage developer infrastructure, rather than being exposed directly to the public internet. Consequently, public exposure is uncommon in standard deployment configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in vCluster Platform could allow an attacker with namespace creation privileges to inject malicious scripts. If exploited, this could lead to the creation of a new Global-Admin user, potentially bypassing security controls.

  • Attacker can create new admin accounts.
  • Impacts users within the platform's browser.

Attack Path

How an attacker could exploit the issue

An attacker with namespace creation privileges can exploit this vulnerability to inject malicious scripts into the platform's browser. This could allow them to impersonate users, steal sensitive information, or even create new administrative accounts, potentially gaining full control over the vCluster environment.

  • Needs namespace creation permission.
  • Exploits template name field.
  • Stored XSS leads to admin takeover.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this Stored XSS vulnerability in vCluster Platform appealing due to the potential for creating a Global-Admin user, which would grant significant control. The requirement for an attacker to create namespaces is a limiting factor, but once met, the ability to execute arbitrary scripts within the platform's browser context is a powerful outcome.

  • No observed public exploit.
  • Not listed on KEV.
  • Vulnerability fixed recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching services vulnerable to Stored XSS, as exploitation could lead to new Global-Admin user creation and bypass security controls. Teams should focus on identifying and isolating affected instances immediately if patching is not feasible.

  • Apply patches: v4.4.3, v4.5.5, v4.6.2, v4.7.1, or v4.8.0.
  • Contain vulnerable services offline.
  • Monitor for suspicious user creation activity.

Frequently asked questions

What is vCluster Platform and what is it used for?

vCluster Platform is a system for managing virtual clusters, multi-tenancy, and sharing Kubernetes clusters. It helps organize and streamline Kubernetes environments, particularly in multi-user or complex setups.

What type of weakness is CVE-2026-42457 in vCluster Platform?

CVE-2026-42457 is a Stored Cross-Site Scripting (XSS) vulnerability. This means malicious scripts can be saved within the platform and later executed in a user's browser.

How can an attacker exploit CVE-2026-42457?

An attacker needs the ability to create namespaces within vCluster Platform. They can then exploit the name field of a templateRef to inject scripts. The vulnerability is not triggered if the attacker lacks namespace creation permissions.

Who should be concerned about this vCluster Platform vulnerability?

Organizations using vCluster Platform, especially those where it faces internal networks, should be aware. While unlikely to be directly internet-facing, its potential for internal administrative takeover makes it relevant for security teams managing internal developer tools.

What is the first step for running vCluster Platform affected by this issue?

The primary action is to update vCluster Platform to a fixed version, such as 4.4.3, 4.5.5, 4.6.2, 4.7.1, or 4.8.0. If immediate patching isn't possible, isolating vulnerable services is recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished