Description
The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.
Published: 2026-04-13
Score: 8.8 High
EPSS: 2.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /registercrd endpoint in KubePlus 4.14’s kubeconfiggenerator component processes user‑supplied chartName data by directly concatenating it into a shell command executed via subprocess.Popen with shell=True. This lack of input sanitization allows an attacker to embed malicious shell commands, enabling unrestricted code execution on the host system. The weakness is a classic command injection (CWE-94).

Affected Systems

KubePlus version 4.14, specifically the kubeconfiggenerator component whose /registercrd API endpoint accepts a chartName parameter.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity, yet its EPSS score of 2% suggests a low exploitation probability. It is not listed in CISA’s KEV catalog. The likely attack vector is remote, inferred from the fact that the vulnerable functionality is exposed as an HTTP API endpoint that accepts user‑supplied parameters. An attacker would need to send a crafted HTTP request to the /registercrd endpoint, which could be accessible through privileged or exposed interfaces. If successful, the attacker can achieve arbitrary shell execution, effectively taking full control over the kubeconfiggenerator service.

Generated by OpenCVE AI on June 16, 2026 at 13:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Request and apply a vendor‑issued patch for KubePlus 4.14 as soon as it becomes available.
  • If no patch is available, restrict access to the /registercrd endpoint to trusted administrators and secure it behind authentication and firewall rules.
  • Implement input validation or refactor the code to avoid shell usage, such as using subprocess.Popen with a list of arguments instead of shell=True.
  • Run the kubeconfiggenerator service with the minimum privileges required to perform its functions to limit damage if the endpoint is compromised.

Generated by OpenCVE AI on June 16, 2026 at 13:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Title KubePlus 4.14 Command Injection via /registercrd Endpoint

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cloudark:kubeplus:*:*:*:*:*:*:*:*

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Title KubePlus 4.14 Command Injection via /registercrd Endpoint

Wed, 15 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Title KubePlus 4.14 Command Injection via /registercrd Endpoint
Weaknesses CWE-78

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title KubePlus 4.14 Command Injection via /registercrd Endpoint
Weaknesses CWE-78

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Cloudark
Cloudark kubeplus
Vendors & Products Cloudark
Cloudark kubeplus

Mon, 13 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.
References

Subscriptions

Cloudark Kubeplus
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T17:44:09.045Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29955

cve-icon Vulnrichment

Updated: 2026-04-15T15:28:24.186Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T19:16:39.137

Modified: 2026-05-01T15:04:11.133

Link: CVE-2026-29955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T14:00:19Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')