CVE-2026-45726: Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService

June 5, 2026

Omni supports importing standalone Talos clusters.

During this process, an ImportedClusterSecrets resource is created, which contains the full CA secrets bundle for the cluster being imported.

If these secrets are not rotated by the importing actor, an authenticated Omni user with Reader access can read this resource and gain full access to the Talos, Kubernetes and etcd APIs of the cluster.

References

github.com/advisories/GHSA-wv8c-6mx2-xf4j
github.com/siderolabs/omni/releases/tag/v1.6.6
github.com/siderolabs/omni/releases/tag/v1.7.3
github.com/siderolabs/omni/security/advisories/GHSA-wv8c-6mx2-xf4j
nvd.nist.gov/vuln/detail/CVE-2026-45726

Code Behaviors & Features

Detect and mitigate CVE-2026-45726 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →