{}

{}

{}

{"bugzilla": {"description": "strimzi-cluster-operator: Unrestricted access to all Secrets within namespace watched by the Topic operator in Strimzi", "id": "2490660", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490660"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-272", "details": ["When deploying only the Topic Operator or only the User Operator via the Kafka custom resource, the Entity Operator's ServiceAccount retains RBAC rights for both operators rather than scoping permissions to the one actually deployed. This allows the ServiceAccount to access KafkaUser custom resources and Secrets even when the User Operator is not deployed, or access KafkaTopic custom resources when the Topic Operator is not deployed, violating the principle of least privilege. There is no workaround for this issue. Fixed in Strimzi 1.0.1 and 1.1.0."], "name": "CVE-2026-55226", "package_state": [{"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "cluster-operator", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "cluster-operator", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-06-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-55226\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-55226"], "threat_severity": "Moderate"}