Summary
Kite has an authenticated cluster RBAC bypass in /api/v1/overview
Full technical description
Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware() and GetOverview only checks len(user.Roles) > 0, so it returns aggregate Kubernetes inventory and capacity data from unauthorized clusters.
The issue is present on current main commit 38c9bb9d4b746c0d2a8252f3c35cdfa07ab01c21 and latest release v0.12.2 at commit 0aae35abb2d6a8adf623fe60349261aa48753ccc.
Technical details
routes.go registers /api/v1/overview before the global RBAC middleware is applied:
routes.go:131-133:/api/v1getsRequireAuth()andClusterMiddleware(cm).routes.go:135:/api/v1/overviewis registered.routes.go:171:api.Use(middleware.RBACMiddleware())is applied only after overview and several other routes are registered.
pkg/middleware/cluster.go:21-40 accepts the target cluster name from x-cluster-name, query, or cookie and injects the matching ClientSet without checking whether the user can access that cluster.
pkg/system/handler.go:47-52 retrieves the selected cluster and user, but only rejects users with zero roles:
cs := c.MustGet("cluster").(*cluster.ClientSet)
user := c.MustGet("user").(model.User)
if len(user.Roles) == 0 {
c.JSON(http.StatusForbidden, gin.H{"error": "Access denied"})
return
}
It then lists nodes, pods, namespaces, and services for the selected cluster at pkg/system/handler.go:63-137 and returns aggregate data at pkg/system/handler.go:147-169.
The intended cluster boundary exists elsewhere. pkg/cluster/cluster_handler.go:19-47 filters /api/v1/clusters with rbac.CanAccessCluster(user, name), and pkg/rbac/rbac.go:32-40 implements that cluster check. The vulnerable overview path skips the same check.
Reproduction
- Configure Kite with at least two clusters, for example
dev-clusterandprod-cluster. - Create a user with a role that allows only
dev-clusterand does not matchprod-cluster. - Authenticate as that user.
- Send
GET /api/v1/overviewwith headerx-cluster-name: prod-cluster. - Observe that the response includes aggregate inventory and capacity data for
prod-clusterinstead of returning 403.
I also validated this locally with a Go proof test. The test constructs a fake prod-cluster containing one node, namespace, service, and pod. The user has a role limited to dev-cluster and dev-ns only. Before calling the handler, both controls return false:
rbac.CanAccess(user, "pods", "get", "prod-cluster", "_all")rbac.CanAccessCluster(user, "prod-cluster")
The direct handler call then succeeds and returns the unauthorized production cluster aggregate data.
Command run:
cd /home/unkn0wn/security_audit/kite
go test ./pkg/system -run TestOverviewAllowsUserWithoutTargetClusterRBAC -v
Key output:
=== RUN TestOverviewAllowsUserWithoutTargetClusterRBAC
overview_rbac_poc_test.go:74: unauthorized overview response: {"totalNodes":1,"readyNodes":0,"totalPods":1,"runningPods":0,"totalNamespaces":1,"totalServices":1,"prometheusEnabled":false,"resource":{"cpu":{"allocatable":0,"requested":0,"limited":0},"memory":{"allocatable":0,"requested":0,"limited":0}}}
--- PASS: TestOverviewAllowsUserWithoutTargetClusterRBAC (0.49s)
PASS
ok github.com/zxh326/kite/pkg/system 0.711s
Suggested remediation
Add an explicit cluster and resource authorization check before any overview data is queried. At minimum, reject users without rbac.CanAccessCluster(user, cs.Name). A stricter fix should require the same resource permissions used by the AI get_cluster_overview tool:
get nodesat cluster scopeget podsacross all namespacesget namespacesat cluster scopeget servicesacross all namespaces
Also consider moving every route that lacks its own complete authorization below api.Use(middleware.RBACMiddleware()), or adding per-handler authorization tests for all pre-RBAC routes.
Impact
A low-privileged user who only has access to one cluster can set x-cluster-name to another configured cluster and retrieve aggregate inventory and resource sizing data for that cluster. The response includes total node, pod, namespace, service, CPU, and memory values. This bypasses the cluster membership boundary used elsewhere in Kite.
The validated impact is confidentiality only. I did not prove Kubernetes mutation, pod names, secret values, kubeconfig contents, or bearer token exposure through this endpoint.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-53487 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.12.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-53487? CVE-2026-53487 is a medium-severity missing authorization vulnerability in github.com/zxh326/kite (go), affecting versions <= 0.12.2. It is fixed in 0.12.3. The application does not perform an authorization check before performing a sensitive operation.
- How severe is CVE-2026-53487? CVE-2026-53487 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/zxh326/kite are affected by CVE-2026-53487? github.com/zxh326/kite (go) versions <= 0.12.2 is affected.
- Is there a fix for CVE-2026-53487? Yes. CVE-2026-53487 is fixed in 0.12.3. Upgrade to this version or later.
- Is CVE-2026-53487 exploitable, and should I be worried? Whether CVE-2026-53487 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-53487 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-53487? Upgrade
github.com/zxh326/kiteto 0.12.3 or later.