{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/virt-exportserver/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-9804"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["virt-exportserver"],"_cs_severities":["high"],"_cs_tags":["kube-virt","path-traversal","vulnerability","cloud"],"_cs_type":"advisory","_cs_vendors":["KubeVirt"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-9804, has been discovered in the virt-exportserver component of KubeVirt. This flaw allows an attacker with specific namespace-level access to exploit the VMExport directory endpoint. By crafting a malicious symbolic link within an exported filesystem Persistent Volume Claim (PVC), the attacker can point outside of the designated mount root of the PVC. This circumvents access controls and permits reading arbitrary files from the exporter pod\u0026rsquo;s filesystem. Successful exploitation results in information disclosure, potentially exposing sensitive data residing on the KubeVirt host. This vulnerability impacts systems where KubeVirt\u0026rsquo;s virt-exportserver is deployed and accessible to potentially malicious actors with the requisite namespace permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains namespace-level access to the KubeVirt environment.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a VMExport configured with an exported filesystem PVC.\u003c/li\u003e\n\u003cli\u003eAttacker creates a symbolic link within the exported filesystem PVC. The symbolic link is crafted to point outside the PVC\u0026rsquo;s designated mount root, targeting sensitive files on the exporter pod\u0026rsquo;s filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the export process, causing the virt-exportserver to follow the symbolic link.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the virt-exportserver reads the file pointed to by the symbolic link, which resides outside the intended PVC scope.\u003c/li\u003e\n\u003cli\u003eThe virt-exportserver includes the content of the targeted file in the export stream.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the export stream, gaining access to the contents of the previously inaccessible file.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates sensitive information from the KubeVirt environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9804 allows an attacker with namespace-level access to read arbitrary files from the exporter pod\u0026rsquo;s filesystem. This information disclosure could expose sensitive data, such as configuration files, credentials, or other confidential information stored on the KubeVirt host. The vulnerability could lead to a compromise of the KubeVirt environment, enabling further malicious activities. The number of affected systems depends on the deployment size of KubeVirt.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-9804 Exploitation Attempt via Symlink Creation\u003c/code\u003e to detect the creation of suspicious symbolic links within exported PVC directories, which are indicative of path traversal attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit namespace-level permissions, reducing the attack surface as described in the overview.\u003c/li\u003e\n\u003cli\u003eRegularly audit and monitor KubeVirt deployments for suspicious activity, focusing on file system access within PVC mounts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-9804 Exploitation Attempt via File Access\u003c/code\u003e to detect file access from virt-exportserver outside the PVC mount.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T09:19:28Z","date_published":"2026-05-28T09:19:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kube-virt-path-traversal/","summary":"A path traversal vulnerability exists in KubeVirt's virt-exportserver component, where an attacker with namespace-level access can exploit this flaw by creating a symbolic link within an exported filesystem PVC to read arbitrary files from the exporter pod, leading to information disclosure.","title":"KubeVirt virt-exportserver Path Traversal Vulnerability (CVE-2026-9804)","url":"https://feed.craftedsignal.io/briefs/2026-05-kube-virt-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Virt-Exportserver","version":"https://jsonfeed.org/version/1.1"}