lowCVE-2026-59269

Pinniped Supervisor Active Directory Group Authorization Vulnerability

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName is empty; the attacker gains the ability to edit some part of the distinguished name (DN) of group entries in the Active Directory (AD) server's database for groups to which they belong; the configured group search parameters cause the edited group to be included in the group search results for the user; and the attacker knows the password for an AD user who belongs to the edited AD group. Affected versions: Pinniped (go.pinniped.dev) v0.11.0 through v0.46.0 inclusive; fixed in v0.47.0.

ProductPinniped Supervisor
CVSS3.8
EPSS0.0017
UpdatedJuly 10, 2026

Quick answer

VMware Tanzu Pinniped Supervisor should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Pinniped v0.11.0 through v0.46.0 inclusive

Fixed versions

  • v0.47.0

How to fix it

Pinniped Supervisor is affected by CVE-2026-59269. a specific Active Directory groupSearch configuration can allow a user to gain elevated Kubernetes permissions. Upgrade affected Supervisor deployments from v0.11.0 through v0.46.0 to v0.47.0 or later and review Active Directory group mapping configuration.

  1. Inventory Kubernetes clusters that authenticate through Pinniped Supervisor with ActiveDirectoryIdentityProvider configured.
  2. Upgrade Pinniped Supervisor to v0.47.0 or later.
  3. Review ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName and ensure it is explicitly configured.
  4. Restrict who can edit Active Directory group distinguished names and group attributes.
  5. Review Kubernetes RBAC bindings that depend on AD group names returned by Pinniped.
  6. Audit recent authentication and authorization events for unexpected group membership or elevated access.
  7. Restart or roll out Pinniped components so patched controllers and services are active.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Pinniped Supervisor reports v0.47.0 or later.
  • Confirm the ActiveDirectoryIdentityProvider groupName attribute is not empty in affected configurations.
  • Test an AD user with edited group DN data in staging and confirm no unauthorized group is granted.
  • Review Kubernetes audit logs for unexpected RBAC grants during the exposure window.
  • Run a Fixnx scan and verify public cluster dashboards or identity endpoints are not exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-59269?

VMware Tanzu Pinniped Supervisor versions listed as affected should be reviewed: Pinniped v0.11.0 through v0.46.0 inclusive.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.