AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-wv8c-6mx2-xf4j: Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService

highvulnerability

security

Source: GitHub Advisory DatabaseJune 5, 2026CVE-2026-45726

Summary

Omni (a cluster management tool) creates a resource called ImportedClusterSecrets when importing standalone Talos clusters. This resource contains the CA (certificate authority, the foundational keys that verify identities in a system) secrets for that cluster. If these secrets are not rotated by the user who imported the cluster, any authenticated user with Reader-level access can read this resource and obtain full control over the cluster's Kubernetes, Talos, and etcd APIs, even outside Omni's security controls.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 5, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/siderolabs/omni@>= 1.7.0, < 1.7.3 (fixed: 1.7.3)github.com/siderolabs/omni@>= 1.3.0, < 1.6.6 (fixed: 1.6.6)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-wv8c-6mx2-xf4j

First tracked: June 5, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%