CVE-2026-13318: Server-Side Request Forgery (SSRF) in Red Hat Red Hat OpenShift Virtualization 4
CVE-2026-13318 is a server-side request forgery (SSRF) vulnerability in Red Hat OpenShift Virtualization 4's KubeVirt component. The flaw exists in the virt-api port-forward handler, which reads an IP address from a VirtualMachineInstance's status without validation and uses it to establish network connections. An attacker with edit permissions can exploit this by controlling the guest agent to specify arbitrary IPs, enabling them to bypass network isolation and create TCP tunnels to internal or external destinations.
AI Analysis
Technical Summary
This vulnerability arises because virt-api's port-forward handler uses the IP address reported by the QEMU guest agent inside a VM without validation, passing it directly to net.Dial(). For VMIs using non-masquerade network bindings, the guest agent can report arbitrary IP addresses. An attacker with kubevirt.io:edit permissions can create a malicious VM that reports a crafted IP, then initiate a port-forward request to establish a bidirectional TCP tunnel from the cluster-internal network position to any routable IP address. This bypasses NetworkPolicy isolation controls, potentially allowing unauthorized internal network access.
Potential Impact
An attacker with edit permissions on kubevirt.io can exploit this vulnerability to bypass Kubernetes NetworkPolicy restrictions by creating a VM that reports arbitrary IP addresses. This enables the attacker to establish TCP tunnels from within the cluster network to any routable destination, potentially accessing internal services or external systems that should be isolated. The impact includes limited confidentiality and integrity loss but no availability impact as per the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-13318 for current remediation guidance. Until a fix is available, restrict kubevirt.io:edit permissions to trusted users only to reduce the risk of exploitation. Monitor for unusual port-forward requests and consider network segmentation to limit exposure.
CVE-2026-13318: Server-Side Request Forgery (SSRF) in Red Hat Red Hat OpenShift Virtualization 4
Description
CVE-2026-13318 is a server-side request forgery (SSRF) vulnerability in Red Hat OpenShift Virtualization 4's KubeVirt component. The flaw exists in the virt-api port-forward handler, which reads an IP address from a VirtualMachineInstance's status without validation and uses it to establish network connections. An attacker with edit permissions can exploit this by controlling the guest agent to specify arbitrary IPs, enabling them to bypass network isolation and create TCP tunnels to internal or external destinations.
CVSS v3.1
Score 6.4medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises because virt-api's port-forward handler uses the IP address reported by the QEMU guest agent inside a VM without validation, passing it directly to net.Dial(). For VMIs using non-masquerade network bindings, the guest agent can report arbitrary IP addresses. An attacker with kubevirt.io:edit permissions can create a malicious VM that reports a crafted IP, then initiate a port-forward request to establish a bidirectional TCP tunnel from the cluster-internal network position to any routable IP address. This bypasses NetworkPolicy isolation controls, potentially allowing unauthorized internal network access.
Potential Impact
An attacker with edit permissions on kubevirt.io can exploit this vulnerability to bypass Kubernetes NetworkPolicy restrictions by creating a VM that reports arbitrary IP addresses. This enables the attacker to establish TCP tunnels from within the cluster network to any routable destination, potentially accessing internal services or external systems that should be isolated. The impact includes limited confidentiality and integrity loss but no availability impact as per the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-13318 for current remediation guidance. Until a fix is available, restrict kubevirt.io:edit permissions to trusted users only to reduce the risk of exploitation. Monitor for unusual port-forward requests and consider network segmentation to limit exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-25T08:05:05.093Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-13318","vendor":"Red Hat"}]
Threat ID: 6a3dbdc04853345fc1a94836
Added to database: 06/25/2026, 23:46:08 UTC
Last enriched: 06/26/2026, 00:01:27 UTC
Last updated: 06/26/2026, 00:01:27 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.