Pinniped Supervisor Active Directory Group Authorization Vulnerability
A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName is empty; the attacker gains the ability to edit some part of the distinguished name (DN) of group entries in the Active Directory (AD) server's database for groups to which they belong; the configured group search parameters cause the edited group to be included in the group search results for the user; and the attacker knows the password for an AD user who belongs to the edited AD group. Affected versions: Pinniped (go.pinniped.dev) v0.11.0 through v0.46.0 inclusive; fixed in v0.47.0.
Quick answer
VMware Tanzu Pinniped Supervisor should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Pinniped v0.11.0 through v0.46.0 inclusive
Fixed versions
- v0.47.0
How to fix it
Pinniped Supervisor is affected by CVE-2026-59269. a specific Active Directory groupSearch configuration can allow a user to gain elevated Kubernetes permissions. Upgrade affected Supervisor deployments from v0.11.0 through v0.46.0 to v0.47.0 or later and review Active Directory group mapping configuration.
- Inventory Kubernetes clusters that authenticate through Pinniped Supervisor with ActiveDirectoryIdentityProvider configured.
- Upgrade Pinniped Supervisor to v0.47.0 or later.
- Review ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName and ensure it is explicitly configured.
- Restrict who can edit Active Directory group distinguished names and group attributes.
- Review Kubernetes RBAC bindings that depend on AD group names returned by Pinniped.
- Audit recent authentication and authorization events for unexpected group membership or elevated access.
- Restart or roll out Pinniped components so patched controllers and services are active.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Pinniped Supervisor reports v0.47.0 or later.
- Confirm the ActiveDirectoryIdentityProvider groupName attribute is not empty in affected configurations.
- Test an AD user with edited group DN data in staging and confirm no unauthorized group is granted.
- Review Kubernetes audit logs for unexpected RBAC grants during the exposure window.
- Run a Fixnx scan and verify public cluster dashboards or identity endpoints are not exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-59269?
VMware Tanzu Pinniped Supervisor versions listed as affected should be reviewed: Pinniped v0.11.0 through v0.46.0 inclusive.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
