Vulnerability Name: Access Keys Allow Access Beyond Scope Severity: Critical CVSS Score: 9.1/10 CVE ID: CVE-2026-22806 Package: loft-sh/vcluster-platform Affacted Versions: <4.5.3, <4.4.2, <4.3.10 Patched Versions: 4.6.0, 4.5.4, 4.4.2, 4.3.10 CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Changed - Confidentiality: High - Integrity: High - Availability: High Impact: When an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. Example: Given a scenario with a user and two virtual clusters, a key scoped to only one cluster can be used to access the other. Patches: Upgrading to 4.6.0, 4.5.4, 4.4.2, or 4.3.10 addresses the vulnerability. Workarounds: Review access keys, ensure appropriate permission sets, and consider limiting access keys' scope. References: Contact security@vcluster.com for further questions or comments.