CVE-2025-14269

Container Security

Overview

Description
-

Social media

Hype score
Not currently trending

  1. CVE-2025-14269: Kubernetes: Credential caching in Headlamp with Helm enabled https://t.co/U8eo4NY7VJ Unauthenticated users may access Helm. Clusters are only affected if Headlamp is installed, configured with config.enableHelm: true, and an authorized user has previously accessed

    @oss_security

    26 Dec 2025

    1501 Impressions

    3 Retweets

    8 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  2. [Security Advisory] CVE-2025-14269: Credential caching in Headlamp with Helm enabled #devopsish https://t.co/AaUjOXp2na

    @ChrisShort

    23 Dec 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Kubernetes向けWeb UI「Headlamp」に認証情報キャッシュの脆弱性(CVE-2025-14269) https://t.co/tnHuLO6SgG #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    22 Dec 2025

    70 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-14269 PoC #exploit https://t.co/qy4ViyDjoC https://t.co/TM44dPxQOJ

    @TheExploitLab

    22 Dec 2025

    142 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. Dissecting the KUBERNETES CVE-2025-14269 Credential Hijack Read the full report on - https://t.co/VsKbRd2uiy https://t.co/aeWCdX8xiE

    @cyberbivash

    21 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-14269: Credential caching in Headlamp with Helm enabled - https://t.co/k5HxzzAdTE

    @kubernetesio

    18 Dec 2025

    5038 Impressions

    1 Retweet

    15 Likes

    7 Bookmarks

    1 Reply

    0 Quotes

Related CVEs

  1. Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This issue has been patched in version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.CVE-2026-33990
  2. Aquasecurity Trivy Embedded Malicious Code VulnerabilityCVE-2026-33634
  3. A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server.CVE-2026-3864
  4. A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2026-4342
  5. A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the containerCVE-2025-8766

References

Sources include official advisories and independent security research.