CVE-2024-53351
Description
Insecure permissions in PipeCD v0.49 allow attackers to steal the service account token, leading to Kubernetes cluster compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure permissions in PipeCD v0.49 allow attackers to steal the service account token, leading to Kubernetes cluster compromise.
CVE-2024-53351 describes an insecure permission vulnerability in PipeCD v0.49 that allows attackers to access the service account's token [1][4]. This issue stems from improper access controls within the PipeCD components, enabling unauthorized token retrieval.
An attacker who compromises a worker node can exploit this by forcing a PipeCD pod with excessive permissions to run on that node, then extracting the service account token [4]. The token can be used to authenticate with the Kubernetes API server, bypassing normal authorization checks.
With the stolen token, an attacker can compromise all Secrets in the cluster and escalate privileges to potentially take over the entire Kubernetes cluster [4]. This represents a critical risk to environments using PipeCD for continuous delivery.
No official patch has been released as of the publication date, but PipeCD is actively maintained [2][3]. Users should review their RBAC configurations and consider upgrading to a fixed version when available.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/pipe-cd/pipecdGo | <= 0.49.0 | — |
Affected products
2- ghsa-coords2 versionspkg:golang/github.com/pipe-cd/pipecdpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
<= 0.49.0+ 1 more
- (no CPE)range: <= 0.49.0
- (no CPE)range: < 0.0.20250327T184518-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-4jhw-c53w-w5r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-53351ghsaADVISORY
- gist.github.com/HouqiyuA/948a808b8bd48b17b37a4d5e0b6fb005ghsaWEB
- pipecd.devghsaWEB
- pipecd.devmitre
News mentions
0No linked articles in our index yet.