CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13318

mediumCVSS 6.4covered by 2 sourcesfirst seen 2026-06-09
A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner. An attacker with kubevirt.io:edit permissions can create a VM with a modified guest agent that reports an arbitrary IP address, then request port-forward to establish a bidirectional TCP tunnel from virt-api's cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation.

CSIRTS triage

What
Server-side request forgery (ssrf) in virt-api port-forward via unvalidated guest-agent-reported IP.
Who is affected
Deployments using kubevirt are affected.
Urgency
Remediation is medium due to the potential for exploitation.
Action
Implement validation for guest-agent-reported IPs.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-13318

Get an email if CVE-2026-13318 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-13318

CVE.org record

Embed the live status

CVE-2026-13318 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13318 status](https://www.csirts.com/badge/CVE-2026-13318)](https://www.csirts.com/cve/CVE-2026-13318)