CVE-2026-62290 in cert-managerinfo

Summary

by MITRE • 07/16/2026

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. From 1.18.0 until 1.19.6 and 1.20.3, Challenge resources under acme.cert-manager.io can be created directly by namespace users without admission validation tying the Challenge to an Order, owner reference, or Issuer-selected solver, allowing attacker-controlled Challenge.spec.solver values referencing a ClusterIssuer to bypass DNS01 solver selectors such as dnsZones, dnsNames, and matchLabels and cause cert-manager to use ClusterIssuer DNS credentials for attacker-selected provider settings and DNS names, including disclosure of X-Api-User and X-Api-Key headers for acme-dns. This issue is fixed in versions 1.19.6 and 1.20.3.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The cert-manager vulnerability represents a critical authorization bypass flaw that undermines the security controls of Kubernetes certificate management systems. This issue affects versions from 1.18.0 through 1.19.5 and 1.20.0 through 1.20.2, where Challenge resources within the acme.cert-manager.io API group can be created without proper admission validation controls. The vulnerability stems from insufficient validation mechanisms that should normally bind Challenge resources to specific Orders, owner references, or Issuer-selected solvers before processing. This architectural weakness allows unprivileged namespace users to directly instantiate Challenge objects with attacker-controlled solver configurations, effectively circumventing the intended access controls and certificate issuance workflows.

The technical exploitation of this vulnerability occurs through manipulation of Challenge.spec.solver values that reference ClusterIssuer resources. When an attacker creates a Challenge resource pointing to a ClusterIssuer, they can override the default DNS01 solver selection logic that typically enforces constraints such as dnsZones, dnsNames, and matchLabels configurations. These selectors are designed to ensure that certificate requests only utilize specific DNS providers and domains that have been explicitly authorized by cluster administrators. By bypassing these controls, attackers can force cert-manager to use ClusterIssuer DNS credentials with arbitrary provider settings and DNS names, potentially leading to unauthorized certificate issuance or credential exposure.

The operational impact of this vulnerability extends beyond simple privilege escalation to include potential data exfiltration and service disruption. When cert-manager processes attacker-controlled Challenge resources, it may inadvertently transmit sensitive authentication headers such as X-Api-User and X-Api-Key for acme-dns providers, exposing credentials that could be used to compromise DNS infrastructure or gain unauthorized access to other systems. This exposure represents a significant risk in environments where cert-manager manages certificates for critical applications and services, particularly when ClusterIssuers are configured with broad permissions across multiple DNS providers or cloud platforms. The vulnerability affects the fundamental integrity of certificate issuance processes and can lead to unauthorized certificate provisioning that bypasses normal security controls.

Security mitigations for this vulnerability require immediate patching of affected cert-manager installations to versions 1.19.6 or 1.20.3, which implement proper admission validation controls. Organizations should also review their ClusterIssuer configurations to ensure that DNS01 solver selectors are properly enforced and that unnecessary broad permissions have been removed from certificate authorities. Network segmentation and monitoring should be enhanced to detect anomalous Challenge resource creation patterns, particularly when these resources reference ClusterIssuers or contain unexpected solver configurations. From a compliance perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and represents an ATT&CK technique involving privilege escalation through API manipulation, making it particularly concerning for organizations following security frameworks such as NIST Cybersecurity Framework or ISO 27001 standards.

The root cause of this vulnerability demonstrates a failure in the admission control validation process within cert-manager's resource handling mechanisms. Proper implementation should have enforced strict binding between Challenge resources and their originating Orders or Issuer configurations, preventing unauthorized cross-namespace resource manipulation. This flaw highlights the importance of comprehensive admission control validation in Kubernetes environments and underscores the need for careful security review of all API extensions and custom resource definitions that handle sensitive operations like certificate management. The vulnerability serves as a reminder that even seemingly benign configuration options can create significant security risks when proper access controls and validation mechanisms are not properly implemented, emphasizing the critical nature of defense-in-depth approaches to Kubernetes security management.

Responsible

GitHub M

Reservation

07/13/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!