Skip to main content

CVE-2026-29954

| EUVDEUVD-2026-17133 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-03-30 mitre GHSA-wh9f-6qqx-hhhv
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 16:45 euvd
EUVD-2026-17133
Analysis Generated
Mar 30, 2026 - 16:45 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
HIGH 7.6

DescriptionCVE.org

In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's --header option to achieve arbitrary HTTP header injection.

AnalysisAI

KubePlus 4.1.4 allows server-side request forgery (SSRF) and arbitrary HTTP header injection through improperly validated chartURL fields in ResourceComposition resources. The mutating webhook and kubeconfiggenerator components concatenate user-supplied chartURL values directly into wget command invocations without proper escaping, enabling attackers to inject wget options such as --header to forge HTTP requests or exfiltrate sensitive data. No patch version information is currently available, and exploitation status remains unconfirmed from authoritative sources.

Technical ContextAI

KubePlus is a Kubernetes extension framework that manages ResourceComposition objects. The vulnerability resides in two components: the mutating webhook, which processes ResourceComposition specifications, and the kubeconfiggenerator tool, which downloads Helm charts specified via the chartURL field. The root cause involves inadequate input validation and unsafe command construction-the chartURL is URL-encoded but not validated against a whitelist of allowed hosts or protocols, and critically, is concatenated directly into a shell command executing wget. This allows command injection via wget's command-line argument syntax. The SSRF vector permits requests to internal Kubernetes services, cloud metadata endpoints, or other restricted network resources. The HTTP header injection vector enables attackers to manipulate request headers, potentially bypassing authentication, cache poisoning, or exfiltrating data through response headers.

RemediationAI

No vendor-released patch identified at time of analysis. Organizations should immediately audit deployments of KubePlus 4.1.4 to determine exposure and contact the KubePlus project maintainers for patched version availability. As interim mitigations, restrict network access to kubeconfiggenerator endpoints using network policies, disable or remove the mutating webhook if not actively required, and implement input validation at the Kubernetes API level to reject ResourceComposition objects with suspicious chartURL values (those pointing to private IP ranges, localhost, or containing shell metacharacters). Refer to the public PoC and advisory at https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md and https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0 for detailed exploitation mechanics and potential detection signatures.

Share

CVE-2026-29954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy