GHSA-gvhc-wv3v-7pf8: Kite has an authenticated cluster RBAC bypass in /api/v1/overview
Summary
Kite, a Kubernetes management tool, has a security flaw where authenticated users can bypass role-based access control (RBAC, a system that restricts what users can do based on their assigned roles) to view cluster data they shouldn't access. By using a request header called `x-cluster-name`, a user with permission for only one cluster can retrieve aggregate inventory and resource data (nodes, pods, namespaces, services, CPU, and memory counts) from other clusters they shouldn't be able to see. The vulnerability exists because the `/api/v1/overview` endpoint is registered before the RBAC middleware (code that enforces permission checks) is applied, and it only verifies that a user has at least one role instead of checking if they can access the specific cluster.
Vulnerability Details
EPSS: 0.0%
Yes
July 7, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-gvhc-wv3v-7pf8
First tracked: July 7, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%