https://xpw6.github.io/Recent content on Essam AlanaziHugoen-usSun, 12 Apr 2026 12:00:00 +0300https://xpw6.github.io/research/escaping-kubernetes-operators/Sun, 12 Apr 2026 12:00:00 +0300https://xpw6.github.io/research/escaping-kubernetes-operators/<h1 id="escaping-kubernetes-operators-hardlink-traversal-and-the-zipslip-blind-spot">Escaping Kubernetes Operators: Hardlink Traversal and the ZipSlip Blind Spot</h1> <p><strong>Note:</strong> This vulnerability was independently discovered during a bug bounty engagement. Although it was ultimately marked as a duplicate, I am sharing this write-up due to its critical severity (CVSS 10.0) and to highlight the interesting technical mechanics of hardlink traversal in Kubernetes operators. The vulnerability has since been confirmed patched by the vendor.</p> <p>Kubernetes operators run at a position of extraordinary trust. They typically execute as highly privileged DaemonSets, pulling external state like container images, configs, and agent binaries, then unpacking it directly onto host nodes so it can be mounted into user workloads. That makes the unpacking step a critical security boundary: if it&rsquo;s flawed, the operator becomes a confused deputy, faithfully writing files on behalf of an attacker.</p>