{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32254", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.686Z", "datePublished": "2026-03-18T03:14:39.392Z", "dateUpdated": "2026-03-18T13:35:56.647Z"}, "containers": {"cna": {"title": "Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g"}, {"name": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456", "tags": ["x_refsource_MISC"], "url": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456"}, {"name": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0"}], "affected": [{"vendor": "cloudnativelabs", "product": "kube-router", "versions": [{"version": "< 2.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:14:39.392Z"}, "descriptions": [{"lang": "en", "value": "Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering."}], "source": {"advisory": "GHSA-phqm-jgc3-qf8g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T13:35:53.287054Z", "id": "CVE-2026-32254", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:35:56.647Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32254", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T13:35:53.287054Z"}}}], "references": [{"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:35:47.222Z"}}], "cna": {"title": "Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS", "source": {"advisory": "GHSA-phqm-jgc3-qf8g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "cloudnativelabs", "product": "kube-router", "versions": [{"status": "affected", "version": "< 2.8.0"}]}], "references": [{"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "name": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456", "name": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0", "name": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:14:39.392Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32254", "state": "PUBLISHED", "dateUpdated": "2026-03-18T13:35:56.647Z", "dateReserved": "2026-03-11T14:47:05.686Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T03:14:39.392Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kube-router:kube-router:*:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "C1324BAF-805F-49AF-9BAB-9218F73A9A2C", "versionEndExcluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering."}, {"lang": "es", "value": "Kube-router es una soluci\u00f3n llave en mano para redes de Kubernetes. Antes de la versi\u00f3n 2.8.0, el m\u00f3dulo proxy de Kube-router no valida las externalIPs o las IPs de loadBalancer antes de programarlas en la configuraci\u00f3n de red del nodo. La versi\u00f3n 2.8.0 contiene un parche para el problema. Las soluciones alternativas disponibles incluyen habilitar la puerta de caracter\u00edsticas DenyServiceExternalIPs, desplegar una pol\u00edtica de admisi\u00f3n, restringir el RBAC de creaci\u00f3n de servicios, monitorear los cambios de servicio y aplicar el filtrado de prefijos BGP."}], "id": "CVE-2026-32254", "lastModified": "2026-03-19T18:06:51.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T04:17:24.340", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kube-router", "source": "cna", "vendor": "cloudnativelabs"}, "product": "kube-router", "vendor": "cloudnativelabs"}], "analysis": {"en": {"generated_at": "2026-03-19T19:51:42.019128+00:00", "value": {"mitigation_remediation": ["Apply kube\u2011router version 2.8.0 or later.", "Enable the DenyServiceExternalIPs feature gate.", "Deploy admission policies that reject externalIPs configurations.", "Restrict RBAC permissions for creating services that include externalIPs or loadBalancer IPs.", "Monitor service changes for unexpected externalIPs.", "Implement BGP prefix filtering to control traffic propagation."], "summary": {"action": "Immediate Patch", "impact": "Network Traffic Hijacking"}, "threat_synthesis": {"affected_systems": "All releases of cloudnativelabs:kube\u2011router older than v2.8.0 are affected. Any deployment that uses the proxy module and allows services to specify externalIPs or LoadBalancer IPs is vulnerable, regardless of the underlying Kubernetes version. The issue is fixed in kube\u2011router v2.8.0 and later releases.", "description_and_impact": "Kube\u2011router\u2019s proxy module, prior to version 2.8.0, fails to validate the externalIPs or LoadBalancer IPs that are assigned to a service before programming them into a node\u2019s network configuration. This flaw permits a cluster administrator or any user with sufficient RBAC permissions to introduce arbitrary IP addresses into the cluster, effectively hijacking traffic that matches those IPs across the entire Kubernetes environment. The vulnerability is identified as CWE\u2011284 (Improper Authorization).", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high-impact vulnerability. The EPSS score is reported to be less than 1\u202f%, implying that exploitation is currently uncommon in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the ability to create or modify services with arbitrary externalIPs or LoadBalancer IPs, typically a privilege reserved for cluster administrators or highly privileged users. Once a malicious IP is injected, an attacker can redirect or hijack traffic destined for any pod exposed through the affected service. There is no evidence from the CVE description of a denial\u2011of\u2011service capability beyond traffic hijacking."}}}}, "created": "2026-03-18T10:41:55.982069+00:00", "updated": "2026-03-24T10:59:25.347770+00:00", "vendors": ["cloudnativelabs", "cloudnativelabs$PRODUCT$kube-router"]}