CVE-2026-55226
Published:June 18, 2026
Updated:June 21, 2026
Impact When only the Topic or only the User operators are deployed as part of the Entity Operator in the "Kafka" custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access "KafkaUser" custom resources and Secrets when the User operator is not deployed and access "KafkaTopic" custom resources when the Topic operator is not deployed. Patches The issue is fixed in Strimzi 1.0.1 and 1.1.0. Workarounds There is no workaround for this issue.
Affected Packages
https://github.com/strimzi/strimzi-kafka-operator.git (GITHUB):
Affected version(s) >=v0.2.0-rc1 <1.0.1Fix Suggestion:
Update to version 1.0.1Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.9
Attack Vector
ADJACENT
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.4
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE