Affected versions: Pinniped (go.pinniped.dev) v0.11.0 through v0.46.0 inclusive; fixed in v0.47.0.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 09 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Vmware
Vmware pinniped |
|
| Vendors & Products |
Vmware
Vmware pinniped |
Thu, 09 Jul 2026 08:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName is empty; the attacker gains the ability to edit some part of the distinguished name (DN) of group entries in the Active Directory (AD) server's database for groups to which they belong; the configured group search parameters cause the edited group to be included in the group search results for the user; and the attacker knows the password for an AD user who belongs to the edited AD group. Affected versions: Pinniped (go.pinniped.dev) v0.11.0 through v0.46.0 inclusive; fixed in v0.47.0. | |
| Title | Privilege Escalation via Active Directory LDAP injection in Pinniped Supervisor can be executed by an attacker who can edit LDAP Group DN entries | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: vmware
Published:
Updated: 2026-07-09T07:12:10.791Z
Reserved: 2026-07-04T18:13:09.972Z
Link: CVE-2026-59269
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T09:45:04Z
No weakness.