CVE-2026-13318 | A server-side request forgery (SSRF) flaw was found in KubeV… | CVSS 6.4 MEDIUM

Description

A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner. An attacker with kubevirt.io:edit permissions can create a VM with a modified guest agent that reports an arbitrary IP address, then request port-forward to establish a bidirectional TCP tunnel from virt-api's cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation.

Metadata

CVE ID: CVE-2026-13318
State: PUBLISHED
Assigner: redhat
Reserved: 2026-06-25 08:05 UTC
Published: 2026-06-25 23:23 UTC
Last updated: 2026-06-25 23:23 UTC
Primary CWE: CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product: Red Hat / Red Hat OpenShift Virtualization 4
Sources: cve.org · NVD

Severity & Metrics

6.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Affected products (2)

Vendor	Product	Platform	Versions
Red Hat	Red Hat OpenShift Virtualization 4	—	—
Red Hat	Red Hat OpenShift Virtualization 4	—	—

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References (2)