Skip to content

H3-2026-0059

Azure Kubernetes Service Code Execution via ARM API

Category VULNERABILITY
Base Score 8.0

Description

Azure Kubernetes Service (AKS) exposes a listClusterAdminCredentials ARM API endpoint that returns a fully privileged kubeconfig for the cluster. Any principal with the Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action permission (e.g., Contributor or AKS Cluster Admin role) can retrieve this kubeconfig and use it to authenticate as a cluster administrator without requiring direct network access to the cluster's API server at configuration time. This allows an attacker to enumerate all Pods across all namespaces and execute arbitrary commands inside running containers.

Impact

Attackers who obtain Azure credentials with sufficient RBAC permissions can retrieve the Cluster Admin kubeconfig via the ARM API, and execute commands in any running Pod across the cluster. This enables credential theft; lateral movement to other Azure resources via Pod service account tokens or mounted secrets; and potential node escape from privileged containers.

References