AIKIDO-2026-10446
github.com/dragonflydb/dragonfly-operator is vulnerable to Improper Access Control
55
Medium Risk
This Affects:
github.com/dragonflydb/dragonfly-operatorTL;DR
The operator deployed Dragonfly with the admin listener on port 9999 using --admin_nopass, but did not apply any Kubernetes NetworkPolicy to limit which workloads could reach that port. Any pod on the cluster network could therefore open a connection to the unauthenticated admin interface and run privileged commands such as SLAVEOF, REPLTAKEOVER, CONFIG SET, and CLIENT KILL. A compromised or malicious workload could abuse that reachability to hijack replication, read or exfiltrate data, or corrupt state. The fix generates a NetworkPolicy per instance (on by default) that restricts admin-port ingress to the operator control plane and peer Dragonfly pods while leaving the client port broadly reachable.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/dragonflydb/dragonfly-operator is vulnerable to Improper Access Control in versions 0.0.1 - 1.4.0.
How to fix this
Upgrade the github.com/dragonflydb/dragonfly-operator library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant