Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs) Summary A configuration-validation issue in the Radius Kubernetes controller can cause it to issue a DELETE…
| CVE ID | CVE-2026-53999 |
| Vendor | go |
| Affected Product | github.com/radius-project/radius |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
DELETE for the container resource referenced by a tampered radapp.io/status annotation on a Deployment. It follows the "Confused Deputy" pattern. Real-world impact is bounded and depends heavily on install topology: in a multi-tenant install (one controller reconciling Deployments across resource groups owned by different teams) it can affect another team's container, while in a single-tenant install it is only self-DoS. There is no data disclosure, no privilege escalation, and no persistence, and deleted resources are recoverable through standard Radius deployment workflSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.