Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator

When

2026-06-18 13:04 UTC

Where

Global (internet)

Category

cyber_advisory · maven

### Impact When only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access `KafkaUser` custom resources and Secrets when the User operator is not deployed and access `KafkaTopic` custom resources when the Topic operator is not deployed. ### Patches The issue is fixed in Strimzi 1.0.1 and 1.1.0. ### Workarounds There is no workaround for this issue.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-18 13:04 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`
  Shared actorsInvolves maven/io.strimzi:strimzi, maven/io.strimzi:strimzi· 89% match

← Back to the live map