CVE-2026-6383: KubeVirt's authorization mechanism improperly truncates subresource names

April 15, 2026 (updated April 16, 2026)

A flaw was found in KubeVirt’s Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.

References

access.redhat.com/security/cve/CVE-2026-6383
bugzilla.redhat.com/show_bug.cgi?id=2458741
github.com/advisories/GHSA-j6cv-3w8p-vrg8
github.com/kubevirt/kubevirt
github.com/kubevirt/kubevirt/issues/17337
nvd.nist.gov/vuln/detail/CVE-2026-6383

Code Behaviors & Features

Detect and mitigate CVE-2026-6383 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →