KubePi is vulnerable to missing authorization
Description
KubePi versions before 1.6.4 exposed API interfaces that could be accessed without authentication, potentially leaking sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KubePi versions before 1.6.4 exposed API interfaces that could be accessed without authentication, potentially leaking sensitive information.
Vulnerability
Overview
KubePi, a modern Kubernetes management panel, contains an authorization bypass vulnerability in its API endpoints. The /v1 route party was configured with middleware (jwt handler and auth handler) only after certain endpoints were already registered, meaning that some API interfaces, including the system logs endpoint, were exposed without proper authentication checks [1][4]. This flaw allows unauthorized entities to interact with these API interfaces and may leak sensitive information about the Kubernetes clusters managed by the panel [1].
Exploitation
The vulnerability exists in the API routing setup. In the commit that fixes the issue, the middleware functions langHandler() and pageHandler() were moved to apply after the session.Install() call, and critically the system.Install() call was moved from the unprotected v1Party to the authenticated authParty party [4]. Any unauthenticated user could directly access the /v1 endpoints that were not covered by the JWT or auth handlers. No special privileges or network position are required beyond the ability to reach the KubePi service [1].
Impact
An attacker who successfully exploits this issue could gain access to sensitive information exposed through the unprotected API endpoints. This includes system logs and potentially other operational data, which could aid further attacks or lead to data disclosure [1][4].
Mitigation
The vulnerability has been patched in KubePi version 1.6.4 [1][2]. There are no known workarounds for affected versions, so upgrading to the latest release is the recommended action [1]. Users should update their installations promptly to prevent potential exploitation.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/KubeOperator/kubepiGo | < 1.6.4 | 1.6.4 |
Affected products
2- KubeOperator/KubePiv5Range: <= 1.6.3
Patches
10c6774bf5d90fix: 解决系统登陆日志泄漏-未授权访问
1 file changed · +4 −3
internal/api/v1/v1.go+4 −3 modified@@ -419,11 +419,12 @@ func WarpedJwtHandler() iris.Handler { func AddV1Route(app iris.Party) { v1Party := app.Party("/v1") - v1Party.Use(langHandler()) - v1Party.Use(pageHandler()) + session.Install(v1Party) mfa.Install(v1Party) authParty := v1Party.Party("") + v1Party.Use(langHandler()) + v1Party.Use(pageHandler()) authParty.Use(WarpedJwtHandler()) authParty.Use(authHandler()) @@ -436,7 +437,7 @@ func AddV1Route(app iris.Party) { user.Install(authParty) cluster.Install(authParty) role.Install(authParty) - system.Install(v1Party) + system.Install(authParty) proxy.Install(authParty) ws.Install(authParty) chart.Install(authParty)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gqx8-hxmv-c4v4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22478ghsaADVISORY
- github.com/1Panel-dev/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4ghsaWEB
- github.com/KubeOperator/KubePi/commit/0c6774bf5d9003ae4d60257a3f207c131ff4a6d6ghsax_refsource_MISCWEB
- github.com/KubeOperator/KubePi/releases/tag/v1.6.4ghsax_refsource_MISCWEB
- github.com/KubeOperator/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.