CVE-2023-22478

KubePi is vulnerable to missing authorization

Basic Information

CVE State: PUBLISHED
Reserved Date: December 29, 2022
Published Date: January 14, 2023
Last Updated: March 10, 2025
Vendor: KubeOperator
Product: KubePi
Description: KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.
Tags

CVSS Scores

CVSS v3.1

7.3 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score

Score: 80.62% (Percentile: 99.08%) as of 2025-07-29

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2025-07-07 00:00:00 UTC) Source

References

https://github.com/KubeOperator/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4 https://github.com/KubeOperator/KubePi/commit/0c6774bf5d9003ae4d60257a3f207c131ff4a6d6 https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-07-08 12:00:28 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-22478.yaml	2025-04-26 00:00:00 UTC

Timeline

CVE ID Reserved

December 29, 2022
CVE Published to Public

January 14, 2023
Detected by Nuclei

April 26, 2025
Added to KEVIntel

July 08, 2025