CVE-2025-64761

Impact

Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:

1. An operator in the root namespace has access to identity/groups endpoints.
2. An operator does not have policy access.

Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.

Patches

Patched in version 2.4.4.

Workarounds

Users should audit the use of identity subsystem and deny operators access if it is not in use.