GHSA-VCHX-5PR6-FFX2

Vulnerability from github – Published: 2026-03-27 20:28 – Updated: 2026-03-27 21:48
VLAI?
Summary
Flannel has cross-node remote code execution via extension backend BackendData injection
Details

Background

The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. This backend uses shell commands stored in Kubernetes annotations to configure network connectivity on the node.

Note: consumers are only affected by this vulnerability if they use the experimental Extension backend. Other backends such as vxlan and wireguard are unaffected.

Vulnerability

This Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster.

The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the flannel.alpha.coreos.com/backend-data Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks.

Impact

Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected.

Patches

This is fixed in version v0.28.2.

Workaround

If consumers cannot update to a patched version, then use Flannel with another backend such as vxlan or wireguard.

Credits

Flannel would like to thank Shachar Tal from Palo Alto Networks for reporting this vulnerability.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.28.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/flannel-io/flannel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T20:28:13Z",
    "nvd_published_at": "2026-03-27T20:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Background\nThe Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. This backend uses shell commands stored in Kubernetes annotations to configure network connectivity on the node.\n\nNote: consumers are only affected by this vulnerability if they use the experimental Extension backend. Other backends such as vxlan and wireguard are unaffected.\n\n### Vulnerability\nThis Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster.\n\nThe Extension backend\u0027s SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks.\n\n### Impact\nKubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected.\n\n### Patches\nThis is fixed in version v0.28.2.\n\n### Workaround \nIf consumers cannot update to a patched version, then use Flannel with another backend such as vxlan or wireguard.\n\n### Credits\nFlannel would like to thank  Shachar Tal from Palo Alto Networks for reporting this vulnerability.",
  "id": "GHSA-vchx-5pr6-ffx2",
  "modified": "2026-03-27T21:48:12Z",
  "published": "2026-03-27T20:28:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32241"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flannel-io/flannel/commit/08bc9a4c990ae785d2fcb448f4991b58485cd26a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flannel-io/flannel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flannel-io/flannel/releases/tag/v0.28.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flannel has cross-node remote code execution via extension backend BackendData injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.