CVE-2026-47190

Sažetak

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0.

Reference

https://github.com/metal3-io/ip-address-manager/pull/1355
https://github.com/metal3-io/ip-address-manager/pull/1356
https://github.com/metal3-io/ip-address-manager/pull/1357
https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq

CVSS

Base:	4.4
Impact:	3.6
Exploitability:	0.7

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	HIGH

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

12-06-2026 - 16:24

Objavljeno

12-06-2026 - 16:16