diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json
new file mode 100644
index 00000000000..68c3044d768
--- /dev/null
+++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/metadata.json
@@ -0,0 +1,10 @@
+{
+  "id": "8320826e-7a9c-4b0b-9535-578333193432",
+  "queryName": "RBAC Roles Allow Privilege Escalation",
+  "severity": "MEDIUM",
+  "category": "Access Control",
+  "descriptionText": "Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges",
+  "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update",
+  "platform": "Kubernetes",
+  "descriptionID": "8320826e"
+}
diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/query.rego b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/query.rego
new file mode 100644
index 00000000000..4d4b6102d0e
--- /dev/null
+++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/query.rego
@@ -0,0 +1,25 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	document := input.document[i]
+	metadata := document.metadata
+
+	kinds := {"Role", "ClusterRole"}
+	document.kind == kinds[_]
+
+	verbs := {"bind", "escalate", "*"}
+	resources := {"roles", "clusterroles"}
+	document.rules[j].resources[_] == resources[_]
+	document.rules[j].verbs[_] == verbs[_]
+
+	result := {
+		"documentId": document.id,
+		"searchKey": sprintf("metadata.name={{%s}}.rules", [metadata.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].verbs should not include the 'bind' and/or 'escalate' permission", [metadata.name, j]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].verbs includes the 'bind' and/or 'escalate' permission", [metadata.name, j]),
+		"searchLine": common_lib.build_search_line(["rules", j], ["verbs"])
+	}
+}
diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/negative.yaml b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/negative.yaml
new file mode 100644
index 00000000000..482893a0bf9
--- /dev/null
+++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/negative.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: not-rbac-binder
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings"]
+  verbs: ["create"]
diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive.yaml b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive.yaml
new file mode 100644
index 00000000000..39ffd8ea1de
--- /dev/null
+++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rbac-binder
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles"]
+  verbs: ["bind"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings"]
+  verbs: ["create"]
diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json
new file mode 100644
index 00000000000..2d795e4b970
--- /dev/null
+++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json
@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "RBAC Roles Allow Privilege Escalation",
+    "severity": "MEDIUM",
+    "line": 8
+  }
+]