Go modules package
github.com/siderolabs/omni
pkg:golang/github.com/siderolabs/omni
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45726 | hig | — | >= 1.3.0, < 1.6.6 | 1.6.6 | Jun 5, 2026 | ## Summary Omni supports importing standalone Talos clusters. During this process, an ImportedClusterSecrets resource is created, which contains the full CA secrets bundle for the cluster being imported. If these secrets are not rotated by the importing actor, an authenticated | |
| CVE-2026-45723 | low | — | < 1.6.6 | 1.6.6 | Jun 5, 2026 | ## Summary `managementServer.CreateSchematic` (`internal/backend/grpc/schematics.go`) passes the caller-controlled `TalosVersion` field directly to `imageFactoryClient.OverlaysVersions`, which embeds it verbatim into a `fmt.Sprintf("/version/%s/overlays/official", talosVersion)` | |
| CVE-2026-45720 | hig | — | < 1.6.6 | 1.6.6 | Jun 5, 2026 | ## Summary `SAML.getSession` (`internal/pkg/auth/interceptor/saml.go`) checks the `Used` flag on a `SAMLAssertion` resource and then marks it used in two separate state operations. Because the check and the update are not atomic, concurrent requests carrying the same `saml-sessi | |
| CVE-2025-61688 | — | >= 1.1.0-beta.0, < 1.1.5 | 1.1.5 | Oct 13, 2025 | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API. | ||
| CVE-2025-59836 | — | >= 1.1.0-beta.0, < 1.1.5 | 1.1.5 | Oct 13, 2025 | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/updat | ||
| CVE-2025-59824 | — | < 0.48.0 | 0.48.0 | Sep 24, 2025 | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and au |
- affected >= 1.3.0, < 1.6.6fixed 1.6.6
## Summary Omni supports importing standalone Talos clusters. During this process, an ImportedClusterSecrets resource is created, which contains the full CA secrets bundle for the cluster being imported. If these secrets are not rotated by the importing actor, an authenticated
- affected < 1.6.6fixed 1.6.6
## Summary `managementServer.CreateSchematic` (`internal/backend/grpc/schematics.go`) passes the caller-controlled `TalosVersion` field directly to `imageFactoryClient.OverlaysVersions`, which embeds it verbatim into a `fmt.Sprintf("/version/%s/overlays/official", talosVersion)`
- affected < 1.6.6fixed 1.6.6
## Summary `SAML.getSession` (`internal/pkg/auth/interceptor/saml.go`) checks the `Used` flag on a `SAMLAssertion` resource and then marks it used in two separate state operations. Because the check and the update are not atomic, concurrent requests carrying the same `saml-sessi
- CVE-2025-61688Oct 13, 2025affected >= 1.1.0-beta.0, < 1.1.5fixed 1.1.5
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API.
- CVE-2025-59836Oct 13, 2025affected >= 1.1.0-beta.0, < 1.1.5fixed 1.1.5
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/updat
- CVE-2025-59824Sep 24, 2025affected < 0.48.0fixed 0.48.0
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and au