Description
In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection.
Published: 2026-03-30
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SSRF & HTTP Header Injection
Action: Apply Patch
AI Analysis

Impact

An SSRF vulnerability exists in the mutating webhook and kubeconfiggenerator components of KubePlus version 4.1.4 when processing the chartURL field in ResourceComposition resources. The field is only URL‑encoded, with no validation of the target address. In addition, the kubeconfiggenerator builds a wget command by directly concatenating the chartURL value, allowing attackers to inject wget’s --header option and perform arbitrary HTTP header injection, which may subvert authentication or other security controls. The weakness corresponds to CWE‑88 (Unvalidated Redirects and Forwards) and CWE‑918 (Server Side Request Forgery).

Affected Systems

The vulnerability affects the KubePlus 4.1.4 distribution provided by CloudArk. No other vendors or product versions are listed as impacted, so the scope is limited to installations running this specific release.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, while an EPSS score of less than 1% suggests a low current likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires only a crafted ResourceComposition object containing an unvalidated chartURL value, which a remote attacker could supply via the API server. The likely attack vector is remote through the Kubernetes API, enabling the attacker to force the server to perform requests to arbitrary URLs and inject custom HTTP headers, potentially exposing internal resources or facilitating credential theft.

Generated by OpenCVE AI on April 6, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported KubePlus version that resolves the SSRF and header injection flaw.
  • If an upgrade is not yet available, restrict the webhook to allow chartURL entries only from a whitelist of trusted registries.
  • Disable or remove the kubeconfiggenerator component if it is not essential.
  • Implement network segmentation or firewall rules to block outbound traffic from the KubePlus server to external hosts.
  • Monitor API server logs for unusual ResourceComposition creations that contain suspicious chartURL values.

Generated by OpenCVE AI on April 6, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title SSRF and HTTP Header Injection in KubePlus 4.1.4

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cloudark
Cloudark kubeplus
CPEs cpe:2.3:a:cloudark:kubeplus:4.1.4:*:*:*:*:*:*:*
Vendors & Products Cloudark
Cloudark kubeplus

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloud-ark
Cloud-ark kubeplus
Vendors & Products Cloud-ark
Cloud-ark kubeplus

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title SSRF and HTTP Header Injection in KubePlus 4.1.4

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-88
CWE-918
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection.
References

Subscriptions

Cloud-ark Kubeplus
Cloudark Kubeplus
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T18:42:18.548Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29954

cve-icon Vulnrichment

Updated: 2026-03-30T18:39:20.851Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T17:16:15.867

Modified: 2026-04-06T15:51:33.017

Link: CVE-2026-29954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:49Z

Weaknesses