🟠 High | Source: Microsoft Security Response Center
CVE-2026-13208 is a vulnerability in KubeVirt’s virt-handler component, where the notify server accepts virtual machine instance (VMI) identity claims from unauthenticated gRPC request bodies without verification. This means an attacker could impersonate a VMI and potentially manipulate or interfere with virtual machine lifecycle operations. The flaw is particularly significant in environments running containerised virtual machines on Kubernetes, including Azure-hosted clusters.
Security Architect’s Take: Audit any AKS or Azure Red Hat OpenShift clusters running KubeVirt and apply available patches to the virt-handler component immediately. In the interim, restrict network access to the virt-handler gRPC notify server using network policies to limit exposure to trusted workloads only.
Original advisory: CVE-2026-13208 Kubevirt: virt-handler-rhel9: kubevirt: virt-handler notify server trusts vmi identity from unauthenticated grpc request body