How is CVE-2026-32193 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-based vector is required to trigger the vulnerability. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials. Victim interaction (not-required): No action from another user or victim is needed; the attacker can trigger the exploit entirely on their own. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites beyond local access.

What is the impact of CVE-2026-32193?

Reads arbitrary files outside the intended directory boundary, including secrets, service account tokens, and configuration data on the host. Writes or overwrites files outside the restricted path, enabling injection of malicious content into privileged locations. Crashes or destabilizes the affected service and dependent workloads, causing service disruption across the node. Because the scope is changed (S:C), impact can extend beyond the originating container or process to other resources on the same node or cluster.

Back to search

HIGHCVE-2026-32193Published 2026-06-09Modified 2026-06-16CNA microsoft

CVE-2026-32193: Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Azure Kubernetes Service allows an authorized attacker to execute code locally.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: v0.20260213.5
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Microsoft Azure Kubernetes Service (AKS) allows a locally authenticated attacker to execute arbitrary code on the host. The attacker must already have a low-privilege account or process on the affected system; no network access is required. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected scope, including resources outside the immediate container boundary due to the changed scope. A patched-image rebuild at v0.20260213.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built AKS-based images. Any image running an AKS component version below v0.20260213.5 is flagged automatically.

Available

Triage

HarborGuard scores this vulnerability at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at v0.20260213.5 becomes available through HarborGuard once the upstream fix is confirmed, which it already is for this CVE. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-based vector is required to trigger the vulnerability.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials.
Victim interactionNot required
No action from another user or victim is needed; the attacker can trigger the exploit entirely on their own.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites beyond local access.

Blast Radius

Reads arbitrary files outside the intended directory boundary, including secrets, service account tokens, and configuration data on the host.
Writes or overwrites files outside the restricted path, enabling injection of malicious content into privileged locations.
Crashes or destabilizes the affected service and dependent workloads, causing service disruption across the node.
Because the scope is changed (S:C), impact can extend beyond the originating container or process to other resources on the same node or cluster.

How HarborGuard Handles This

Available on HarborGuard: images containing AKS components below v0.20260213.5 are matched against this CVE within minutes of the advisory entering upstream feeds, covering both pulled images and custom-built images in customer pipelines. Where compliance policy permits, a rebuilt image at v0.20260213.5 is made available immediately. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run against the patched image, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Customers not using auto-remediation receive a prioritized finding routed to the configured owner inbox, with the patched image available for manual promotion.

See how HarborGuard automates this

Fix available

v0.20260213.5

Patch commits

Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability

Affected packages

Microsoft / Azure Kubernetes Service
< v0.20260213.5 (from 1.0)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

References

Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available