RATATOSKRATATOSK
Sign in

cert-manager

v1.19.6Security
Jun 26, 2026

v1.19.6 is a security patch fixing a HIGH severity RBAC privilege escalation in the cert-manager-edit ClusterRole that let users create ACME Challenge and Order resources directly, plus a Go toolchain update closing three CVEs. The RBAC fix includes a documented breaking permission change.

  • securityRBAC privilege escalation via ACME Challenge/Order creation

    Applies to v1.19.6: the default cert-manager-edit aggregate ClusterRole previously let namespace users create ACME Challenge and Order resources directly, bypassing Issuer solver selectors. This is fixed by removing create for challenges.acme.cert-manager.io and create/patch/update for orders.acme.cert-manager.io from that role. Upgrade to v1.19.6 to close this HIGH severity RBAC gap (GHSA-8rvj-mm4h-c258).

  • breakingcert-manager-edit ClusterRole loses Challenge/Order create permissions

    If any tooling or workflow creates Challenge or Order resources directly, outside the normal Certificate to CertificateRequest to Order to Challenge flow, it will lose that access after upgrading and needs those permissions granted explicitly.

  • securityGo toolchain updated to 1.25.11 for three CVEs

    Applies unconditionally in v1.19.6: Go is updated to 1.25.11, fixing CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507. No action needed beyond upgrading.

Key changes (4)

  • HIGH severity RBAC fix (GHSA-8rvj-mm4h-c258): cert-manager-edit ClusterRole allowed users to create ACME Challenge/Order resources directly, bypassing Issuer solver selectors
  • Breaking: cert-manager-edit no longer grants create on challenges.acme.cert-manager.io or create/patch/update on orders.acme.cert-manager.io; direct Challenge/Order tooling needs explicit permissions now
  • Go updated to 1.25.11, fixing CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507
  • Earlier Go bump to 1.25.10 plus other unspecified dependency updates