What is CVE-2026-45726?

## Summary Omni supports importing standalone Talos clusters. During this process, an ImportedClusterSecrets resource is created, which contains the full CA secrets bundle for the cluster being imported. If these secrets are not rotated by the importing actor, an authenticated Omni user with Reader access can read this resource and gain full access to the Talos, Kubernetes and etcd APIs of the cluster. ## Severity - **Attack Vector:** Adjacent: the attacker needs to be in the same network to be able to access Talos/Kubernetes APIs with the compromised keys. - **Attack Complexity:** High: the attacker needs a deep understanding of Omni's internals. The resource is only created for imported clusters, and is normally not represented to users via any high-level API. - **Privileges Required:** Low: the role `Reader` is sufficient for the attacker to be able to read an imported cluster's secrets. - **User Interaction:** Required: another user must have imported a cluster to Omni for this vulnerability to exist. - **Scope:** Changed: the leaked CA private keys let an attacker directly get full control on Kubernetes or Talos, beyond the limitations enforced by Omni. - **Confidentiality Impact:** High: full cluster CA private keys (Kubernetes, Talos, etcd, service account) are exposed. - **Integrity Impact:** High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it. - **Availability Impact:** High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it. ## Impact - Any Reader-level account can exfiltrate the complete CA private key hierarchy (Kubernetes CA, etcd CA, service account key) of the imported clusters whose secrets are not yet rotated ("tainted" imported clusters). - With the Kubernetes CA private key, an attacker can sign certificates for any Kubernetes user or group, including `system:masters`, achieving cluster-admin access to the imported cluster entirely outside Omni's control plane. - Impact scope extends beyond Omni to every Kubernetes workload, credential, and secret stored in the affected imported cluster. ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).

What is the severity of CVE-2026-45726?

CVE-2026-45726 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-45726?

No known public exploits are currently available for CVE-2026-45726.

Is there a patch available for CVE-2026-45726?

Yes, patches are available for CVE-2026-45726. Check the vendor advisories for update instructions.

CVE-2026-45726 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Omni supports importing standalone Talos clusters.

During this process, an ImportedClusterSecrets resource is created, which contains the full CA secrets bundle for the cluster being imported.

If these secrets are not rotated by the importing actor, an authenticated Omni user with Reader access can read this resource and gain full access to the Talos, Kubernetes and etcd APIs of the cluster.

Severity

Attack Vector: Adjacent: the attacker needs to be in the same network to be able to access Talos/Kubernetes APIs with the compromised keys.
Attack Complexity: High: the attacker needs a deep understanding of Omni's internals. The resource is only created for imported clusters, and is normally not represented to users via any high-level API.
Privileges Required: Low: the role Reader is sufficient for the attacker to be able to read an imported cluster's secrets.
User Interaction: Required: another user must have imported a cluster to Omni for this vulnerability to exist.
Scope: Changed: the leaked CA private keys let an attacker directly get full control on Kubernetes or Talos, beyond the limitations enforced by Omni.
Confidentiality Impact: High: full cluster CA private keys (Kubernetes, Talos, etcd, service account) are exposed.
Integrity Impact: High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it.
Availability Impact: High: with the CA keys the attacker has full control on Kubernetes and Talos of the compromised (imported) cluster, and modify the workloads on it.

Impact

Any Reader-level account can exfiltrate the complete CA private key hierarchy (Kubernetes CA, etcd CA, service account key) of the imported clusters whose secrets are not yet rotated ("tainted" imported clusters).
With the Kubernetes CA private key, an attacker can sign certificates for any Kubernetes user or group, including system:masters, achieving cluster-admin access to the imported cluster entirely outside Omni's control plane.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com

Ready for Agentic Automated Testing?

CVE-2026-45726

Summary

Severity

Impact

Credit