// For flags

CVE-2025-14459

Virt-cdi-controller: unauthorized pvc cloning via dataimportcron

Severity Score

8.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.

Red Hat OpenShift Virtualization release 4.19.17 is now available with updates to packages and images that fix several bugs and add enhancements.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-12-10 CVE Reserved
  • 2026-01-22 CVE Published
  • 2026-01-26 CVE Updated
  • 2026-04-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
 Container Native Virtualization
Search vendor "Redhat" for product "Container Native Virtualization"
*-
Affected
Redhat
Search vendor "Redhat"
 Openshift
Search vendor "Redhat" for product "Openshift"
*-
Affected