Kubewarden-controller prior to version 1.35.0 contains a missing authorization vulnerability (CWE-862) in the can_i host callback. Attackers with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions can craft policies that invoke the can_i callback, which issues SubjectAccessReview (SAR) requests without enforcing the context-aware allow-list. This results in an authorization gap where the callback executes SARs with policy-server privileges, disclosing RBAC permission information cluster-wide. This vulnerability enables reconnaissance of user and service account permissions but does not directly expose workload data or allow privilege escalation. The issue is addressed in kubewarden-controller 1.35.0.

The vulnerability allows attackers with specific privileged create permissions to enumerate RBAC permissions of any user or service account in the Kubernetes cluster. This information disclosure can aid attackers in planning further attacks by revealing which accounts have sensitive permissions such as 'get secrets', 'create pods', or 'bind clusterroles'. There is no direct impact on data integrity or availability, and no direct workload data exfiltration is possible through this vulnerability.

A fix for this vulnerability is available in kubewarden-controller version 1.35.0. Users should upgrade to this version or later to remediate the issue. Patch status is not explicitly confirmed by a vendor advisory in the provided data, so users should verify the upgrade and remediation details from the official kubewarden project resources. Until upgraded, restrict privileged AdmissionPolicy or AdmissionPolicyGroup create permissions to trusted administrators only.