Description
When the Strimzi cluster operator is deployed with watchAnyNamespace=true (or a multi-namespace list), any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace (or topicOperator.watchedNamespace) to an arbitrary namespace. The cluster operator then creates a Role granting full CRUD on Secrets in the target namespace and a RoleBinding pointing to a ServiceAccount in the attacker's namespace — effectively granting cluster-admin-equivalent access via kube-system secret exfiltration. The RBAC objects created cross-namespace have their ownerReferences deliberately stripped, making the privilege grant persistent even after the Kafka CR or attacker namespace is deleted. Fixed in Strimzi 1.0.1 and 1.1.0 by adding a dedicated environment variable to explicitly enable the watched namespace feature (disabled by default).
Published: n/a
Score: 8.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mw9r-p8xp-wx96 Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Strimzi
Strimzi kafka-operator
Vendors & Products Strimzi
Strimzi kafka-operator

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description When the Strimzi cluster operator is deployed with watchAnyNamespace=true (or a multi-namespace list), any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace (or topicOperator.watchedNamespace) to an arbitrary namespace. The cluster operator then creates a Role granting full CRUD on Secrets in the target namespace and a RoleBinding pointing to a ServiceAccount in the attacker's namespace — effectively granting cluster-admin-equivalent access via kube-system secret exfiltration. The RBAC objects created cross-namespace have their ownerReferences deliberately stripped, making the privilege grant persistent even after the Kafka CR or attacker namespace is deleted. Fixed in Strimzi 1.0.1 and 1.1.0 by adding a dedicated environment variable to explicitly enable the watched namespace feature (disabled by default).
Title strimzi-cluster-operator: Cross-namespace privilege escalation via Kafka.spec.entityOperator.watchedNamespace in Strimzi
Weaknesses CWE-250
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Subscriptions

Strimzi Kafka-operator
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T00:00:00Z

Links: CVE-2026-55225 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:04:07Z

Weaknesses