Cloud-Metadata

2026-04-26
The Controller Token Leak Epidemic: Kubernetes Has a Confused-Deputy Problem
Six CVEs in three months, four against a single Kyverno feature, plus OpenShift AI and Argo CD: every modern Kubernetes platform is shipping helper code that hands its controller's bearer token to attacker-controlled URLs. The bug class isn't going to fix itself.
kubernetes kyverno openshift argocd confused-deputy serviceaccount token-leak ssrf rbac cloud-metadata opinion
vulnerabilities 2026-04-24
LMDeploy SSRF (CVE-2026-33626) Weaponized in 12 Hours to Loot GPU IAM Credentials
A Server-Side Request Forgery in LMDeploy's vision-language image loader turned LLM inference nodes into SSRF primitives for cloud metadata theft — exploited 12 hours and 31 minutes after disclosure.
ssrf lmdeploy ai-infrastructure imds cloud-metadata cve-2026-33626

The Controller Token Leak Epidemic: Kubernetes Has a Confused-Deputy Problem