Summary
open-feature-operator: Cross-namespace FeatureFlagSource and InProcessConfiguration resolution exposes spec contents on multi-tenant clusters
A namespaced FeatureFlagSource or InProcessConfiguration resource can be referenced cross-namespace via the openfeature.dev/featureflagsource annotation using the documented {NAMESPACE}/{NAME} syntax. The operator resolves the referenced resource cluster-wide and materializes its contents (env vars, flagd sidecar arguments including httpSyncBearerToken, sync URIs, supporting ConfigMaps) into the referencing workload.
On multi-tenant clusters that treat namespaces as trust boundaries, a tenant who can deploy a controller-owned workload in their own namespace can cause the operator to read another tenant's FeatureFlagSource / InProcessConfiguration spec contents.
Behavior is documented
The cross-namespace {NAMESPACE}/{NAME} annotation syntax is intentional and documented in docs/annotations.md and docs/feature_flag_source.md. The operator's cluster-wide RBAC scope is intentional. Namespace-as-trust-boundary is not part of the operator's current stated security model.
This advisory makes the tenancy assumption explicit and tracks the architectural change that will eliminate the implicit cross-namespace pattern.
Corrections to the original report
Two technical points in the original report require correction:
secretKeyRef/configMapKeyRefcross-namespace disclosure is not possible via this path. Kubelet resolves these asLocalObjectReferenceagainst the pod's own namespace; the operator does not bypass that. The actual disclosure surface isFeatureFlagSource/InProcessConfigurationspec contents the operator itself materializes (inlineenvVarsvalues,httpSyncBearerToken, sync URIs).create featureflagsourcesis not a prerequisite. The webhook rejects pods without OwnerReferences (pod_webhook.go:75-77), so the prerequisite iscreateon a workload controller (deployments,statefulsets,daemonsets,jobs,cronjobs,replicasets) in a namespace the attacker controls.FeatureFlagSourcecreate in any namespace is not required.
Mitigations
As with any Kubernetes CRD, treat the spec content of FeatureFlagSource and InProcessConfiguration as readable by anyone with read access to the resource, and don't place plaintext secrets in CR spec fields. Fields most likely to bite users:
spec.sources[].source, when the URI embeds credentials (e.g.https://user:pass@host/repo)spec.sources[].certPath, if the path itself is sensitive- inline
spec.envVars[].value(usevalueFrom.secretKeyRefinstead; kubelet enforces same-namespace resolution and the secret value is not stored in the CR)
If developers treat namespaces as trust boundaries:
- restrict
createonfeatureflagsources/inprocessconfigurationsvia RBAC where feasible,
Roadmap
A future release will introduce explicit cluster-scoped CRDs (ClusterFeatureFlagSource, ClusterInProcessConfiguration) and remove implicit cross-namespace resolution. This is a breaking change tracked in #847.
Precedent
This class of issue (authenticated namespace tenant abuses an unenforced cluster-wide surface that crosses an assumed namespace boundary) has Kubernetes precedent: CVE-2020-8554 (External IPs) was accepted as documented posture and mitigated via an opt-in admission plugin.
Credit
Reported by @0xVijay. Thanks for the disclosure. This appears to be an example of https://cwe.mitre.org/data/definitions/668.html. In terms of how it ended up here, it's more of an unimplemented security feature than an "bug". It seems to deviate from reasonable expectations and conventions in the K8s ecosystem. See https://nvd.nist.gov/vuln/detail/cve-2020-8554 as an example of a comparable vulnerability.
Impact
- Single-tenant clusters: not impacted.
- Multi-tenant clusters using namespaces as trust boundaries: tenant-to-tenant disclosure of any data placed inline in
FeatureFlagSource/InProcessConfigurationspec, includingspec.envVarsliteral values,spec.httpSyncBearerToken, and sync URIs.
CVE-2026-54495 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-54495? CVE-2026-54495 is a medium-severity security vulnerability in github.com/open-feature/open-feature-operator (go), affecting versions <= 0.9.2. No fixed version is listed yet.
- How severe is CVE-2026-54495? CVE-2026-54495 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/open-feature/open-feature-operator are affected by CVE-2026-54495? github.com/open-feature/open-feature-operator (go) versions <= 0.9.2 is affected.
- Is there a fix for CVE-2026-54495? No fixed version is listed for CVE-2026-54495 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-54495 exploitable, and should I be worried? Whether CVE-2026-54495 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-54495 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.