{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41184/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-41184"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","token-disclosure","kubernetes","CVE-2026-41184"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft has released information regarding CVE-2026-41184, a vulnerability that allows for the disclosure of ServiceAccount tokens through the install-cni container logs. While specific details of the exploitation are not provided in the source, the nature of the vulnerability suggests a misconfiguration or logging of sensitive data within the container environment that allows for unauthorized access to sensitive tokens. Exploitation of this vulnerability could lead to privilege escalation within a Kubernetes cluster. Defenders need to ensure proper configuration and monitoring of container logs to prevent token exposure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container or node within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003einstall-cni\u003c/code\u003e container logs.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the logs, either through direct file access on the node or through centralized logging systems.\u003c/li\u003e\n\u003cli\u003eThe attacker searches the logs for ServiceAccount tokens that have been inadvertently logged.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the exposed ServiceAccount token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the ServiceAccount token to authenticate to the Kubernetes API.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates resources and permissions associated with the compromised ServiceAccount.\u003c/li\u003e\n\u003cli\u003eDepending on the ServiceAccount\u0026rsquo;s permissions, the attacker can then create, modify, or delete resources within the cluster, potentially leading to privilege escalation or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41184 can lead to the disclosure of sensitive ServiceAccount tokens, potentially allowing attackers to escalate privileges within a Kubernetes cluster. This can result in unauthorized access to sensitive data, modification of critical configurations, and disruption of services. The extent of the impact depends on the permissions granted to the compromised ServiceAccount.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and apply the Microsoft security update addressing CVE-2026-41184.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls for container logs to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eRegularly audit container configurations to ensure that sensitive data, such as ServiceAccount tokens, are not being inadvertently logged.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect suspicious access to container logs.\u003c/li\u003e\n\u003cli\u003eImplement token rotation policies to limit the lifespan of ServiceAccount tokens.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T07:25:17Z","date_published":"2026-05-30T07:25:17Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41184-token-disclosure/","summary":"CVE-2026-41184 is a ServiceAccount token disclosure vulnerability in container logs addressed by a Microsoft security update.","title":"CVE-2026-41184 ServiceAccount Token Disclosure via install-cni Container Logs","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41184-token-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-41184","version":"https://jsonfeed.org/version/1.1"}