CVSS 8.1 — HIGH
CSRG-2026-0428
Overview
Timeline
Impact
Mitigation
IOCs / Detection
CVE-2026-4881 — Kubernetes Kubelet Certificate Rotation Race Condition
Race condition in kubelet TLS certificate rotation affecting Kubernetes v1.28 through v1.31. During automatic certificate renewal, a ~90-second exploitation window allows MitM interception of kubelet API traffic on port 10250. The vulnerability permits unauthenticated API calls from within the cluster network, enabling arbitrary command execution in pods on affected nodes.
Timeline
Apr 28, 2026
Advisory published
May 15, 2026
Advisory updated
May 15, 2026
Advisory indexed
At a Glance
| Type | Race Condition |
| Component | kubelet (TLS certificate rotation) |
| Attack Vector | Network (Adjacent) |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |