Skip to main content

Kubernetes CVE-2026-32241

| EUVDEUVD-2026-16771 HIGH
Command Injection (CWE-77)
2026-03-27 GitHub_M GHSA-vchx-5pr6-ffx2
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 19:45 euvd
EUVD-2026-16771
Analysis Generated
Mar 27, 2026 - 19:45 vuln.today
CVE Published
Mar 27, 2026 - 19:31 nvd
HIGH 7.5

DescriptionGitHub Advisory

Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the flannel.alpha.coreos.com/backend-data Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.

AnalysisAI

Command injection in Flannel's experimental Extension backend allows authenticated Kubernetes users with node annotation privileges to execute arbitrary commands as root on all flannel nodes in the cluster. This affects Flannel versions prior to 0.28.2 using the Extension backend; other backends (vxlan, wireguard) are unaffected. No public exploit identified at time of analysis, but CVSS 7.5 reflects high impact once node annotation access is achieved. EPSS data not available for this recent CVE (2026 designation appears to be error; actual 2025 advisory).

Technical ContextAI

Flannel (cpe:2.3:a:flannel-io:flannel) is a CNI network fabric for Kubernetes that provides overlay networking for container clusters. The experimental Extension backend was designed for prototyping new backend implementations. The vulnerability (CWE-77: Command Injection) exists in the SubnetAddCommand and SubnetRemoveCommand handlers, which consume data from the flannel.alpha.coreos.com/backend-data Node annotation via stdin. This attacker-controlled JSON is unmarshalled and passed directly to shell execution without sanitization or validation. The architecture assumes Node annotations are trusted input, but Kubernetes RBAC models allow certain authenticated users to modify node metadata. Production backends like vxlan and wireguard use different code paths that do not involve external command execution from annotation data, making them immune to this specific injection vector.

RemediationAI

Upgrade to Flannel v0.28.2 or later, released by the flannel-io project at https://github.com/flannel-io/flannel/releases/tag/v0.28.2, which removes unsafe shell command execution from the Extension backend's annotation processing logic. Organizations unable to immediately upgrade should migrate to a production-supported backend such as vxlan (recommended for most deployments) or wireguard (for encrypted overlay requirements) by updating the Flannel DaemonSet configuration to specify a different backend type. Verify current backend configuration by inspecting the net-conf.json in the kube-flannel ConfigMap; if 'Type' is set to 'extension', immediate remediation is required. Review Kubernetes RBAC policies to restrict node annotation modification privileges to cluster administrators only, following principle of least privilege. Audit recent node annotation changes via Kubernetes API server logs to identify potential exploitation attempts targeting the flannel.alpha.coreos.com/backend-data annotation key.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy