CVE-2018-18264

Vulnerability

CVE-2018-18264 is an authentication bypass vulnerability in Kubernetes Dashboard prior to version 1.10.1. An attacker who can reach the Dashboard web interface can access the Dashboard's own Service Account, which by default has permissions to read secrets within the cluster. The flaw exists because the Dashboard did not properly validate authentication for certain API endpoints, allowing requests to be processed as if they came from the Service Account itself [1][2][3].

Exploitation

An attacker needs only network access to the Kubernetes Dashboard (e.g., exposed via a NodePort, LoadBalancer, or kubectl proxy). No authentication credentials are required. The attacker sends crafted requests to the Dashboard's API endpoints, and the Dashboard treats those requests as originating from its own Service Account, effectively bypassing authentication checks [1][2].

Impact

Successful exploitation allows the attacker to read all secrets stored in the Kubernetes cluster that the Dashboard's Service Account has access to. This can include database credentials, API tokens, TLS certificates, and other sensitive data. The attack results in a confidentiality breach (information disclosure) and can be a stepping stone for broader privilege escalation within the cluster [1][4].

Mitigation

The vulnerability is fixed in Kubernetes Dashboard version 1.10.1, released on 2018-12-14 [4]. Users should upgrade to v1.10.1 or later. The fix disables the skip login feature by default and requires proper authentication for all API access [2][3]. Organizations unable to upgrade immediately should restrict network access to the Dashboard (e.g., via network policies, firewall rules) as a workaround. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.