A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

Affected Packages

Go k8s.io/kubernetes

Affected versions: 1.28.0 (fixed in 1.28.4)

Go k8s.io/kubernetes

Affected versions: 1.27.0 (fixed in 1.27.8)

Go k8s.io/kubernetes

Affected versions: 1.26.0 (fixed in 1.26.11)

Go k8s.io/kubernetes

Affected versions: 0 (fixed in 1.25.16)

Related CVEs

CVE-2023-5528

Key Information

GHSA ID

GHSA-hq6q-c2x6-hmch

Published

November 14, 2023 9:31 PM

Last Modified

September 6, 2024 4:58 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

k8s.io/kubernetes

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 24, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.