GPUs Kubernetes BareMetal Platform Engineering kMetal Hosted Control Plane

Ahead of Disclosure: Kamaji, CVE Support, and the CRA

When a CVE affects your Kubernetes control plane, the clock starts immediately – and where you are in the patch queue depends on who maintains the software you're running. This post covers what proactive CVE support actually looks like from the maintainer's side, why commercial subscribers to Kamaji get access to stable, patched branches before public disclosure, and why that structural advantage matters more as the EU Cyber Resilience Act raises the compliance bar for infrastructure providers.

Wednesday, July 15, 2026 Dario Tranchitella

Proactive CVE Support: What It Means to Back the Maintainer

A CVE affecting your Kubernetes control plane should involve a CISO conversation, a compliance review, and a race against public disclosure – often simultaneously.

For organizations running Kamaji in production, how that race goes depends largely on who you have behind you.


Maintainer-backing advantages

CLASTIX created Kamaji and remains its primary maintainer, which is a distinction that matters when a vulnerability gets identified. We have direct visibility into the codebase, control over stable branches, and the ability to prepare patched commits before a CVE is made public.

Commercial subscribers get access to those patched branches ahead of public disclosure. Not as a courtesy, but as a structural outcome of working directly with the team that owns the project end to end.

To illustrate the advantage of an active subscription, here is our average CVE response timeline:

  1. CLASTIX receives the CVE draft from the reporter, validates the content, and replicates the attack using the provided vector. If the report is valid, we triage it; if not, it is rejected or enhanced based on further investigation.

  2. Within 24 hours of triage, subscribers receive a pre-disclosure notification detailing the attack vector, methods for detecting potential exploitation, and instructions for mitigation in production environments.

  3. During this window, CLASTIX develops the required fixes for both the main branch and supported LTS versions, providing hotfixes for environments that cannot immediately update to the latest release.

  4. Once validated, we notify customers that patched artefacts are available as OCI images and Helm Charts, allowing for safe deployment before the official fix is merged upstream.

  5. Finally, we initiate the formal CVE disclosure process. CLASTIX contributes the stable-based fix to the upstream repository, open-sourcing the remediation for the benefit of the wider community.

This is the difference between only using open-source software and also backing the commitment of the maintainer to continue delivering that solution.

Recent CVE-2026-62246 and CVE-2026-62845 vulnerabilities are concrete examples of what proactive maintainer support looks like in practice. The vulnerabilities affect Kamaji deployments using a shared SQL datastore – a non-injective identifier derivation allows two distinct tenant control planes to silently collide on the same schema and database login, resulting in full cross-tenant access to another tenant's Kubernetes state, including Secrets, RBAC objects, and ServiceAccount tokens. The latter has a moderate impact, where an attacker could potentially inject SQL statements when giving the Tenant the ability to deeply customise their TenantControlPlane objects. CLASTIX identified the issues, prepared the fixes, and gave commercial subscribers access to the patched release before public disclosure.

CVE Known

The CRA is raising the bar

The EU Cyber Resilience Act (CRA) is changing what “secure software” means for infrastructure providers. Organizations offering Kubernetes-based services to enterprise or public sector customers will face tighter requirements around vulnerability response, disclosure timelines, and patch availability – and these all connect to your Kubernetes Security Posture Management (KSPM), as well.

Having a direct line to the maintainer – with access to stable, already-patched releases before a CVE goes public – is the kind of proactive security posture that the CRA expects.


Talk to us

If you are running Kamaji in production and want to understand what commercial support from CLASTIX looks like in practice, we would love to hear from you: Talk to us