Advisories for Golang/Github.com/Zxh326/Kite package

2026

Kite has an authenticated cluster RBAC bypass in /api/v1/overview

Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware() and GetOverview only checks len(user.Roles) > 0, so it returns aggregate Kubernetes inventory and capacity data from unauthorized clusters. The issue is present on current main commit 38c9bb9d4b746c0d2a8252f3c35cdfa07ab01c21 and latest release v0.12.2 at commit 0aae35abb2d6a8adf623fe60349261aa48753ccc.