Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (https://github.com/metal3-io/ip-address-manager).
CVSS VectorVendor: https://github.com/metal3-io/ip-address-manager
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data.
All users running ip-address-manager versions prior to the patched releases are affected.
Patches
Fixed in:
- v1.11.7
- v1.12.4
- v1.13.0
Users should upgrade to the patched version for their release branch.
Workarounds
Manually remove the Secrets resource entry from the metal3-ipam-controller-manager-role ClusterRole:
# Remove this entire block from the ClusterRole
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watchResources
- https://github.com/metal3-io/ip-address-manager/pull/1355
- https://github.com/metal3-io/ip-address-manager/pull/1356 (backport to release-1.12)
- https://github.com/metal3-io/ip-address-manager/pull/1357 (backport to release-1.11)
AnalysisAI
Excessive RBAC permissions in the Metal3 ip-address-manager (IPAM) controller's ClusterRole expose Kubernetes Secrets to post-compromise abuse. The metal3-ipam-controller-manager-role granted full CRUD on core/v1 Secrets - yet PR diff evidence confirms the controller never accesses Secrets in normal operation, making these permissions entirely unnecessary. If the controller pod is compromised via a supply chain attack or container escape, an attacker inheriting the controller's service account token can read, modify, or delete any Secret in the namespace, turning a narrow container compromise into cluster-wide credential exfiltration. No public exploit exists and no CISA KEV listing, but the confidentiality impact is rated High (C:H) by NVD.
Technical ContextAI
CWE-250 (Execution with Unnecessary Privileges) describes the root cause: a Kubernetes ClusterRole assigned more permissions than the workload requires. The affected package is pkg:go/github.com/metal3-io/ip-address-manager, the IPAM controller for Cluster API Provider Metal3 - a bare-metal Kubernetes provisioning framework. The role.yaml ClusterRole contained a full CRUD rules block (verbs: create, delete, get, list, patch, update, watch) on core/v1 Secrets. The PR diff (pull/1355) removes both the RBAC annotation in ippool_controller.go and a now-dead Secret cache configuration from main.go that had previously referenced a clusterSecretCacheSelector, suggesting this permission was a vestige of a removed feature rather than an oversight in new code. Kubernetes RBAC operates at the namespace boundary by default, so all Secrets within the deployment namespace are accessible under this ClusterRole.
RemediationAI
Upgrade to the patched release matching your current branch: v1.11.7 (backport via PR #1357), v1.12.4 (backport via PR #1356), or v1.13.0 (main branch via PR #1355). These releases remove the Secrets CRUD rules block from role.yaml entirely and strip the dead Secret cache configuration from main.go. If an immediate upgrade is not possible, apply the documented workaround by manually editing the metal3-ipam-controller-manager-role ClusterRole to delete the entire block granting verbs on the 'secrets' resource - this can be done with kubectl edit clusterrole metal3-ipam-controller-manager-role with no operational impact, since the controller does not use these permissions in normal operation. The workaround has no functional side effects. Advisory and patch PRs are at https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36463
GHSA-49pm-43hf-6xfq