CVE-2025-14459: Virt-cdi-controller: unauthorized pvc cloning via dataimportcron
A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.
Security readout for executives and security teams
Plain-English summary
CVE-2025-14459 is a high-severity authorization flaw in KubeVirt Containerized Data Importer. A logged-in user may be able to clone storage volumes from namespaces they should not access, exposing sensitive data stored in Kubernetes PersistentVolumeClaims.
Executive priority
Prioritize remediation for CNV clusters hosting sensitive tenant, application, or VM disk data. The main business risk is unauthorized data exposure across namespaces, not service outage.
Technical view
The flaw affects CDI DataImportCron PVC source handling and is classified as CWE-639. The supplied CVSS 3.1 vector is 8.5: network reachable, low privileges, no user interaction, changed scope, high confidentiality impact, and low integrity impact.
Likely exposure
Exposure is most likely in Red Hat Container Native Virtualization 4.19 environments using affected container-native-virtualization packages and CDI workflows involving DataImportCron and PVC sources.
Exploitation context
The bundle does not show CISA KEV listing or active exploitation evidence. Exploitation requires authenticated low-privilege access, but the exact required Kubernetes RBAC permissions are not fully described in the supplied sources.
Researcher notes
Focus review on authorization checks around DataImportCron PVC source resolution and namespace boundaries. The supplied data does not include proof-of-concept details, precise patched builds, or confirmed exploit activity.
Mitigation direction
Apply Red Hat updates associated with RHSA-2026:0950 for affected CNV 4.19 components.
Check Red Hat’s CVE page for current fixed versions and product impact.
Restrict DataImportCron and CDI cloning permissions to trusted administrators.
Audit namespaces for unexpected PVC clones or imports.
Monitor Red Hat Bugzilla and CSAF VEX for updated remediation details.
Validation and detection
Inventory clusters running Red Hat CNV 4.19 and affected package versions.
Compare installed component image versions against RHSA-2026:0950 guidance.
Review RBAC granting DataImportCron or CDI import and clone permissions.
Inspect DataImportCron objects that reference PVC sources across namespaces.
Review Kubernetes audit logs for unusual PVC clone or import activity.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-639: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-639 · source CWE mapping
Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.