Skip to content
Threat Feed
medium advisory

CVE-2026-41184 ServiceAccount Token Disclosure via install-cni Container Logs

CVE-2026-41184 is a ServiceAccount token disclosure vulnerability in container logs addressed by a Microsoft security update.

Microsoft has released information regarding CVE-2026-41184, a vulnerability that allows for the disclosure of ServiceAccount tokens through the install-cni container logs. While specific details of the exploitation are not provided in the source, the nature of the vulnerability suggests a misconfiguration or logging of sensitive data within the container environment that allows for unauthorized access to sensitive tokens. Exploitation of this vulnerability could lead to privilege escalation within a Kubernetes cluster. Defenders need to ensure proper configuration and monitoring of container logs to prevent token exposure.

Attack Chain

  1. An attacker gains initial access to a container or node within the Kubernetes cluster.
  2. The attacker identifies the install-cni container logs.
  3. The attacker accesses the logs, either through direct file access on the node or through centralized logging systems.
  4. The attacker searches the logs for ServiceAccount tokens that have been inadvertently logged.
  5. The attacker extracts the exposed ServiceAccount token.
  6. The attacker uses the ServiceAccount token to authenticate to the Kubernetes API.
  7. The attacker enumerates resources and permissions associated with the compromised ServiceAccount.
  8. Depending on the ServiceAccount’s permissions, the attacker can then create, modify, or delete resources within the cluster, potentially leading to privilege escalation or data exfiltration.

Impact

Successful exploitation of CVE-2026-41184 can lead to the disclosure of sensitive ServiceAccount tokens, potentially allowing attackers to escalate privileges within a Kubernetes cluster. This can result in unauthorized access to sensitive data, modification of critical configurations, and disruption of services. The extent of the impact depends on the permissions granted to the compromised ServiceAccount.

Recommendation

  • Review and apply the Microsoft security update addressing CVE-2026-41184.
  • Implement strict access controls for container logs to prevent unauthorized access.
  • Regularly audit container configurations to ensure that sensitive data, such as ServiceAccount tokens, are not being inadvertently logged.
  • Deploy the Sigma rule provided to detect suspicious access to container logs.
  • Implement token rotation policies to limit the lifespan of ServiceAccount tokens.

Detection coverage 2

Detect Suspicious Access to Container Logs

medium

Detects suspicious processes accessing container log files, potentially indicating an attempt to exploit CVE-2026-41184.

sigma tactics: discovery techniques: T1005 sources: file_event, linux

Detect Sensitive Info in Container Logs via Keywords

high

Detects sensitive keywords being logged into container logs which could indicate sensitive information disclosure like CVE-2026-41184.

sigma tactics: discovery techniques: T1005 sources: file_event, linux

Detection queries are available on the platform. Get full rules →