CVE-2026-32254

Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456	Patch
https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0	Product Release Notes
https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g	Exploit Mitigation Patch Vendor Advisory
https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g	Exploit Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kube-router:kube-router:*:*:*:*:*:kubernetes:*:*

History

No history.

Information

Published : 2026-03-18 04:17

Updated : 2026-03-19 18:06

NVD link : CVE-2026-32254

Mitre link : CVE-2026-32254

CVE.ORG link : CVE-2026-32254

JSON object : View

Products Affected

kube-router

kube-router

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-32254", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-18T04:17:24.340", "references": [{"url": "https://github.com/cloudnativelabs/kube-router/commit/a1f0b2eea3ee0f66b9a5b5c49dcb714619ccd456", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cloudnativelabs/kube-router/releases/tag/v2.8.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-phqm-jgc3-qf8g", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workarounds include enabling DenyServiceExternalIPs feature gate, deploying admission policy, restricting service creation RBAC, monitoring service changes, and applying BGP prefix filtering."}, {"lang": "es", "value": "Kube-router es una soluci\u00f3n llave en mano para redes de Kubernetes. Antes de la versi\u00f3n 2.8.0, el m\u00f3dulo proxy de Kube-router no valida las externalIPs o las IPs de loadBalancer antes de programarlas en la configuraci\u00f3n de red del nodo. La versi\u00f3n 2.8.0 contiene un parche para el problema. Las soluciones alternativas disponibles incluyen habilitar la puerta de caracter\u00edsticas DenyServiceExternalIPs, desplegar una pol\u00edtica de admisi\u00f3n, restringir el RBAC de creaci\u00f3n de servicios, monitorear los cambios de servicio y aplicar el filtrado de prefijos BGP."}], "lastModified": "2026-03-19T18:06:51.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kube-router:kube-router:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "C1324BAF-805F-49AF-9BAB-9218F73A9A2C", "versionEndExcluding": "2.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}