KubeVirt VMExport Path Traversal Information Disclosure

CVE-2026-9804 exposes a path traversal vulnerability in KubeVirt's virt-exportserver component that allows attackers with namespace-level access to read arbitrary files from the exporter pod's filesystem. By crafting symbolic links within exported PVCs that point outside their designated mount root, attackers can bypass directory constraints and access sensitive data they shouldn't. This vulnerability matters because KubeVirt is widely used for virtualization in Kubernetes environments, and namespace-level access is often granted to developers and operators who shouldn't have visibility into arbitrary pod filesystem contents. Organizations running KubeVirt in multi-tenant or restricted-access clusters face information disclosure risks including exposure of secrets, configuration data, and other sensitive files stored on exporter pods.

While this CVE doesn't currently map to specific MITRE ATT&CK techniques, Casky's AI-powered analysis would identify the attack pattern through CWE-59 (Improper Link Resolution Before File Access) and detect the reconnaissance and data exfiltration behaviors inherent in the exploit chain. Practitioners using Casky would see findings related to unauthorized file access attempts, abnormal symlink creation within PVC mounts, and filesystem traversal patterns that violate expected pod isolation boundaries. The platform's extended reasoning capabilities would correlate namespace-level permissions with suspicious file access logs, alerting security teams to potential exploitation attempts before sensitive data is compromised. By mapping this vulnerability against Casky's 754 security skills, practitioners gain visibility into the control gaps—such as inadequate PVC mount validation and missing symlink resolution controls—that enable this attack vector in their Kubernetes infrastructure.