Kubewarden is a policy engine designed to enforce policies in Kubernetes clusters by allowing cluster operators to grant users permissions to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups. The vulnerability identified as CVE-2026-29773 arises from incorrect authorization checks in kubewarden-controller versions before 1.33.0. Specifically, an attacker who has been granted the ability to create AdmissionPolicies (a privileged permission not granted by default) can exploit three deprecated host-callback APIs—kubernetes/ingresses, kubernetes/namespaces, and kubernetes/services. By crafting a malicious AdmissionPolicy that invokes these deprecated APIs, the attacker can read information about Ingresses, Namespaces, and Services resources within the namespace. This read access could reveal potentially sensitive configuration and topology information about the cluster environment. However, the attacker cannot write or modify any resources, nor can they access more sensitive data such as Secrets or ConfigMaps. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the system fails to properly restrict access to certain operations. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited scope and read-only nature of the exploit, as well as the requirement for elevated privileges to exploit it. No known exploits have been reported in the wild, and no patches are explicitly linked, but upgrading to kubewarden-controller version 1.33.0 or later is recommended to address this issue.

The primary impact of CVE-2026-29773 is unauthorized read access to Kubernetes Ingresses, Namespaces, and Services resources within a namespace. This could allow an attacker with AdmissionPolicy creation privileges to gather information about network routing, namespace configurations, and service endpoints, which may facilitate further reconnaissance or targeted attacks. Although the vulnerability does not allow modification or deletion of resources, nor access to highly sensitive data like Secrets or ConfigMaps, the leakage of cluster topology and configuration details can aid attackers in planning more sophisticated attacks. Organizations relying on kubewarden-controller for policy enforcement may face confidentiality risks if they grant AdmissionPolicy create permissions too broadly. The impact is limited to the namespace scope where the attacker has permissions, reducing the blast radius. Since exploitation requires already elevated permissions, the vulnerability primarily concerns environments with lax role-based access control (RBAC) policies. Overall, the risk is moderate but should not be ignored in sensitive or large-scale Kubernetes deployments.

1. Upgrade kubewarden-controller to version 1.33.0 or later, where this vulnerability is fixed. 2. Restrict AdmissionPolicy create permissions strictly to trusted administrators; avoid granting these permissions to general users or service accounts. 3. Audit current RBAC policies to ensure that only necessary principals have AdmissionPolicy creation rights. 4. Disable or remove usage of deprecated host-callback APIs if possible, or monitor their invocation closely. 5. Implement Kubernetes audit logging to detect unusual AdmissionPolicy creations or suspicious API calls related to ingresses, namespaces, and services. 6. Use network segmentation and least privilege principles to limit the impact scope if a policy is maliciously crafted. 7. Regularly review and rotate credentials and permissions associated with kubewarden-controller to minimize risk exposure. 8. Educate cluster operators about the risks of granting AdmissionPolicy creation permissions and enforce strict change management processes.