Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 93%

CVE-2026-59269: CWE-20 Improper Input Validation in VMware Pinniped

0
Low
VulnerabilityCVE-2026-59269gcvecve-2026-59269cwe-20
Published: 07/09/2026 (07/09/2026, 07:12:10 UTC)
Source: GCVE Database
Vendor/Project: VMware
Product: Pinniped

Description

CVE-2026-59269 is an improper input validation vulnerability in VMware Pinniped affecting versions 0.11.0 through 0.46.0. It allows a user authenticating via the Pinniped Supervisor with a specific ActiveDirectoryIdentityProvider configuration to potentially gain elevated permissions in Kubernetes clusters. The vulnerability requires multiple conditions including the ability to edit group distinguished names in Active Directory and knowledge of an AD user password. The issue is fixed in Pinniped version 0.47.0.

CVSS v3.1

Score 3.8low

Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Affected software

GitHub Actionsmore threats →ai
vmware/pinniped
pkg:github/vmware/pinniped
Affected versions
=0.11.0<=0.46.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 09:40:18 UTC

Technical Analysis

This vulnerability in VMware Pinniped arises when the Pinniped Supervisor server is configured with an ActiveDirectoryIdentityProvider resource where the groupName attribute in groupSearch is empty. An attacker who can modify parts of the distinguished name of AD group entries they belong to, and who knows the password of an AD user in those groups, may manipulate group search results to gain elevated permissions in Kubernetes clusters. The flaw is due to improper input validation (CWE-20). It affects Pinniped versions 0.11.0 through 0.46.0 inclusive and was fixed in version 0.47.0.

Potential Impact

The impact is limited to scenarios where multiple specific conditions are met, including the attacker’s ability to edit AD group distinguished names and knowledge of an AD user password. Successful exploitation could lead to elevated permissions in Kubernetes clusters authenticated via Pinniped. The CVSS score is 3.8 (low severity) reflecting limited impact and exploit complexity.

Mitigation Recommendations

Upgrade Pinniped to version 0.47.0 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are indicated. Patch status is not explicitly stated in the vendor advisory, but the fix is included starting in version 0.47.0.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
vmware
Date Reserved
2026-07-04T18:13:09.972Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null
Gcve Source
db.gcve.eu

Threat ID: 6a4f6c0f68715ace431534dd

Added to database: 07/09/2026, 09:38:23 UTC

Last enriched: 07/09/2026, 09:40:18 UTC

Last updated: 07/09/2026, 20:52:18 UTC

Views: 11

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses