CVE-2026-25518

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc	Patch
https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d	Patch
https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2	Patch
https://github.com/cert-manager/cert-manager/pull/8467	Issue Tracking Patch
https://github.com/cert-manager/cert-manager/pull/8468	Issue Tracking Patch
https://github.com/cert-manager/cert-manager/pull/8469	Issue Tracking Patch
https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv	Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cert-manager:cert-manager::::::::
	cpe:2.3:a:cert-manager:cert-manager::::::::

History

No history.

Information

Published : 2026-02-04 22:15

Updated : 2026-02-27 20:20

NVD link : CVE-2026-25518

Mitre link : CVE-2026-25518

CVE.ORG link : CVE-2026-25518

JSON object : View

Products Affected

cert-manager

cert-manager

CWE

CWE-129

Improper Validation of Array Index

CWE-704

Incorrect Type Conversion or Cast

{"id": "CVE-2026-25518", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2026-02-04T22:15:58.990", "references": [{"url": "https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cert-manager/cert-manager/pull/8467", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cert-manager/cert-manager/pull/8468", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cert-manager/cert-manager/pull/8469", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-129"}, {"lang": "en", "value": "CWE-704"}]}], "descriptions": [{"lang": "en", "value": "cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial\u2011of\u2011service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3."}, {"lang": "es", "value": "cert-manager a\u00f1ade certificados y emisores de certificados como tipos de recursos en cl\u00fasteres de Kubernetes, y simplifica el proceso de obtenci\u00f3n, renovaci\u00f3n y uso de esos certificados. En las versiones desde la 1.18.0 hasta antes de la 1.18.5 y desde la 1.19.0 hasta antes de la 1.19.3, el cert-manager-controller realiza b\u00fasquedas DNS durante el procesamiento ACME DNS-01 (para el descubrimiento de zonas y las autocomprobaciones de propagaci\u00f3n). Por defecto, estas b\u00fasquedas utilizan DNS est\u00e1ndar sin cifrar. Un atacante que puede interceptar y modificar el tr\u00e1fico DNS desde el pod del cert-manager-controller puede insertar una entrada manipulada en la cach\u00e9 DNS de cert-manager. Acceder a esta entrada provocar\u00e1 un p\u00e1nico, lo que resultar\u00e1 en una denegaci\u00f3n de servicio (DoS) del controlador de cert-manager. El problema tambi\u00e9n puede ser explotado si el servidor DNS autoritativo para el dominio que se est\u00e1 validando es controlado por un actor malicioso. Este problema ha sido parcheado en las versiones 1.18.5 y 1.19.3."}], "lastModified": "2026-02-27T20:20:22.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cert-manager:cert-manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BAF454D3-E7A8-42DD-BEF0-C26D9BD49EC3", "versionEndExcluding": "1.18.5", "versionStartIncluding": "1.18.0"}, {"criteria": "cpe:2.3:a:cert-manager:cert-manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB820C78-5014-4E4B-B7AF-EA9F687CD3ED", "versionEndExcluding": "1.19.3", "versionStartIncluding": "1.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}